Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Main Mode or Aggressive Mode


I have an ASA 5510 configure for remote VPN Client and site to site VPN (ASA 5505 to ASA 5510).

One of my customer's want to establish site to site VPN to my network , but it is not Working (no CISCO firewall).

He tell me if it possible to change my VPN configuration. He want to using VPN aggressive Mode instead Main Mode

1) How to configure aggressive mode ?

2) If i activate aggressive mode, can i have problem with my remote VPN ?

Thanks for your help

New Member

Re: VPN Main Mode or Aggressive Mode

By default the ASA uses aggressive mode...

Do you see this command in your running config?

crypto isakmp am-disable

If you do see it then your ASA is using Main mode. Run "no crypto isakmp am-disable" to use aggressive mode

The change is a global change. After it your remote VPN users will need to use aggressive mode too but I don't think you need to reconfigure anything on their VPN client.


Re: VPN Main Mode or Aggressive Mode

1.) crypto map {map name}{#} set phase1-mode aggressive

2.) Aggressive mode uses 3 exchanges instead of the 6 used in main mode to establish the ISAKMP SA.

The devices will exchange their SA parameters, DH key&nonce value, and their ISAKMP identity in a single exchange.