When you set the policy you give it a number. When the client starts to negotiate it starts at the lowest policy and works its way through, however, I have found that the client negotiation will often stop at a partial match policy, e.g.
crypto isakmp policy 5
crypto isakmp policy 10
Lets say that the client will only work with policy 10, however, as it negotiates policy 5 it finds a match with AES and SHA but will not work with group 5, it can hang. the next time the client logs in it dismisses policy 5 and goes to 10, works perfectly. Move policy 10 to 5 and it will work every time.
Hope this helps, please let me know if this cures the issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...