The message indicates that the Cisco VPN Client does not get a reply from the Concentrator or that the Cisco VPN Client software version is incompatible with the VPN server.
In many situations upgrading the Cisco VPN Client to 3.5.2 or later resolves the problem.
To resolve the issue, perform these steps:
Enable debugs on the VPN Server (PIX/VPN Concentrator or Cisco IOS® router).
If the VPN Server is a Cisco VPN 3000 Concentrator, enable these classes with severity to log 1-13:
To enable these, go to Configuration > System > Events > Classes.....
Note: If there are no messages from the Client, the VPN Client is not communicating with the VPN server.
Make sure that the ISP or any other intermediate device is not blocking User Datagram Protocol (UDP) port 500 use for the Internet Security Association and Key Management Protocol (ISAKMP) negotiation. Also verify that these devices are configured to allow Encapsulating Security Payload (ESP) and Authentication Header (AH).
These are the ports and protocols necessary for IPSec:
ESP. IP Protocol 50
AH Protocol. IP Protocol 51
UDP port 500 for ISAKMP
Ensure that the VPN server or any intermediate device is enabled for Port Address Translation (PAT).
Based on the debug messages from the VPN Concentrator Client, make sure that VPN server and VPN Client are not misconcfigured. Check for group name and user name mismatch, as well as encryption and authentication parameters.
If the problem persisits, contact the Technical Assistance Center (TAC).
We have Cisco ASA in "active-active" clusters , if there is a change of roles from master to slave (or vice versa) on any member of the cluster, there is a chance that the NAT pool ownership may not get transferred in the process. As a result, the new mas...
Every Cisco multi-context firewall allows non-admin staff to access the admin context of the firewalls.The firewall contexts (both admin and non-admin) support AAA authorisation to prevent people doing things they shouldn’t but the system space does not s...
In this episode of Unhackable, Mike Storm (@mistorm) with his co-host and producer, Sean discuss the Unhackable Principle: Authentication. This is where they talk about passwords, multi-factor authentication, and what it takes to keep you safe when you ...
Currently I have scheduled ISE backup (both configuration and operational) to run daily. The operational backups are about 10 x as big as the configuration backup, and I am wondering if there is a need to backup this up so frequently. My under...
I have a pair of Cisco 6500 running in VSS. There are many SVIs configured and they can all talk with each other without any restriction. I have a need to restrict 1 VLAN from being able to talk with other VLANs and vice versa, while still allow some basi...