04-29-2009 02:53 AM
Using a Cisco VPN Client 5.0 on a ASA5505 I cannot connect with IPsec. I get the following log on the ASA:
....QM FSM error(P2 struct....etc
....All IPSec sa Proposals found unacceptable!
....Mismatch: Overriding phase2 DH Group(DH group!) with phase 1 group (DH group 2)
....PHASE 1 COMPLETED
AS I understand, authentication is okey, but the client and ASA cannot find a IKE policy to agree on ? I've tried to setup several IKE's (that are listed supported with the Cisco client) but with the same result. Am I looking in the wrong direction here ? help !
Best regards,
/Kristian
PS: if this message is posted more than 1 time - well, the Cisco apache/tomcat system has been seek for the last hours..
04-29-2009 12:27 PM
The logging capabilities on the VPN client are very good. I would set all the facilities to High, try and connect, and review the logs. They are usually pretty straight forward in reporting what is not working.
Hope that helps.
05-01-2009 07:23 AM
Occasionally I've had configurations all of a sudden require AES IKE policy. I found this out by enabling Debugging on the firewall and determining what exactly IKE policies were being sent from the VPN Client and then matched the first one.
05-12-2009 09:45 AM
Make sure PFS is disabled or enabled on bothside.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: