Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

EZVPN not so EZ

We are evaluating an asa5520 and are attempting to build a site to site 3des ipsec vpn with an 851. We followed the examples in a cisco how to, but can't get the tunnel up. Show crypto isakmp sa shows the router is in AG_INIT_EXCH state, and debugs show the following error "Encryption algorithm offered does not match policy!" Attempts to auth on the router with the "crypto ipsec client ezvpn xauth" command says there are no xauth requests pending.

The 851 crypto ipsec client ezvpn is set to connect auto so I'm stumped atm....

New Member

Re: EZVPN not so EZ

Please respond with the following output from both vpn peers:

sh isakmp policy

New Member

Re: EZVPN not so EZ

We have abandoned the EZVPN method and are attempting to get a lan 2 lan 3des ipsec vpn tunnel established between the asa5520 and the 851 router. There is no "show isakmp policy" command on either device, however I have included an attached file that contains the relevant configurations for both devices, as well as debug outputs.

It appears to me that phase 1 completes, but that the ASA does not recognize the cyrpto map ipsec data from the 851. Please review the attached file and let me know what you think.



Re: EZVPN not so EZ

Take a look here -

The above example is for IPsec L2L VPN between ASA and 2611 router but the setup should be ok with the 851 box.

Hope this helps.


New Member

Re: EZVPN not so EZ

Thanks Jay for the link. I followed the steps but still can't get the tunnel to build. I believe the problem is on the ASA end, and I noticed that the cyrpto policy command syntax in the docuemt is different than the commands in our 7.21-k8.bin ver on the asa5520 (the cmds are subsets of the policy, which should work but are different):

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

On the ASA, I see that Phase 1 completes, but we keep getting a QM FSM error (see below):

%ASA-3-713119: Group = <851 ext addy>, IP = <851 ext addy>, PHASE 1 COMPLETED

%ASA-3-713061: Group = <851 ext addy>, IP = <851 ext addy>, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy on interface outside

%ASA-3-713902: Group = <851 ext addy>, IP = <851 ext addy>, QM FSM error (P2 struct &0x46f8388, mess id 0x61122fc8)!

%ASA-3-713902: Group = <851 ext addy>, IP = <851 ext addy>, Removing peer from correlator table failed, no match!

Any thoughts?


Re: EZVPN not so EZ

The error log - %ASA-3-713902 means:

Error Message%PIX|ASA-3-713902 Descriptive_event_string

Explanation: This system log message could have several possible text strings describing an error. This may be the result of a configuration error either on the headend or remote access client.

Recommended Action: It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.

Can you post both the ISAKMP and crypto map configuration from the ASA and the router.

Cheers / Jay

New Member

Re: EZVPN not so EZ

Thanks Jay I found the problem. The acl's defined on the 851 for interesting traffic were less granular than the filters on the asa, so even though the acl was getting matches, the phase 2 was never completing to build the tunnel.

I presumed (incorrectly) that having a filter that encompassed the ranges of networks was sufficient, but apparently the statements must be congruent.

Thanks for the help!

New Member

Re: EZVPN not so EZ

I am doing EZVPN Server (ASA5500) and EZVPN client (Cisco 1841) methold. My Cisco 1841 using dynamic IP as well. Working fine. My Cisco 1841 config. (To establish VPN connection, user just need to launch a browser and go to any site, the authentication will prompt)

username cisco password cisco

crypto ipsec client ezvpn SUPERMAN

connect auto

group remotevpn key cisco

mode client


xauth userid mode http-intercept 401


interface FastEthernet0/0

ip address 11.x.11.x.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn SUPERMAN inside


interface FastEthernet0/1

description outside

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn SUPERMAN

ip nat inside source list 105 interface FastEthernet0/1 overload

access-list 105 deny ip

access-list 105 permit ip any

line vty 0 4

login local

transport input telnet

New Member

Re: EZVPN not so EZ

Thanks for the posting. Can you please include the configuration from the ASA5500? I think our problem with both the EZVPN and Lan 2 Lan IPSEC 3des Tunnels is with the configuration on the ASA.

CreatePlease to create content