Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1739
Views
0
Helpful
8
Replies

2 ASA 5505's All Sorts of VPN Problems

nmooremvsc
Level 1
Level 1

‎09-03-2009 06:49 PM - edited ‎03-11-2019 09:12 AM

I have ASA 5505's up until yesterday they had a working VPN for months. Yesterday we had to change the public IP's for both 5505's. The first ASA #1 has about a dozen VPN's configured on it and is having no other issues except for this particular VPN. The other ASA #2 also had it's IP changed yesterday it has had problems with 2 of 5 different VPN's. One of the two VPN's is connecting to #1. When you try to initiate the connection from #1 I get tons of errors:

5 Sep 03 2009 21:36:00 713257 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

Dozen's of these before the VPN finally connects. I can't for the life of me find any different settings between the two of them. If they are set to use aggressive mode the VPN will still get all the errors but will not come up. I've deleted it on both sides and re-created it, still doesn't work right.

Labels:
0 Helpful
8 Replies 8

networker99
Level 1
Level 1

‎09-04-2009 06:02 AM

I presume that you have multiple ISAKMP policies configured?. Are the ISAKMP policies listed in the same order on both sides? as the initiating side will send its proposal and compare against the peers first, and then the second if no match is found..

0 Helpful

nmooremvsc
Level 1
Level 1
In response to networker99

‎09-04-2009 06:04 AM

Yes, the first policies on both match, the final policies on both match as well.

0 Helpful

networker99
Level 1
Level 1
In response to nmooremvsc

‎09-04-2009 06:07 AM

There is some inconsistancy with the ISAKMP policy.. can you post the config as well as the output from "debug crypto isakmp 8"

0 Helpful

nmooremvsc
Level 1
Level 1
In response to networker99

‎09-04-2009 06:51 AM

Here is the debugging output. How much of the config do you need?

Preview file
11 KB
0 Helpful

networker99
Level 1
Level 1
In response to nmooremvsc

‎09-04-2009 07:00 AM

full config both sides if possible

0 Helpful

networker99
Level 1
Level 1
In response to nmooremvsc

‎09-04-2009 07:03 AM

oh,.,. just realized I have had this before. In the end I had to completely delete and rebuild the ISAKMP and Crypto Map statement. Used the same settings

0 Helpful

nmooremvsc
Level 1
Level 1
In response to networker99

‎09-04-2009 07:12 AM

Delete the entire crypto map statement or just that numbered section?

0 Helpful

networker99
Level 1
Level 1
In response to nmooremvsc

‎09-04-2009 07:21 AM

You could try that first. I believe it was in the name so I would create a brand new one (just copy and paste the old changing the name) and apply it to the interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card