Showing results for 
Search instead for 
Did you mean: 

The user receives a GI VPN START CALLBACK error message on Cisco VPN Client


Core issue

The message indicates that the Cisco VPN Client does not get a reply from the Concentrator  or that the Cisco VPN Client software version is incompatible with the VPN server.


In many situations upgrading the Cisco VPN Client to 3.5.2 or later resolves the problem. 

To resolve the issue, perform these steps:

  1. Enable debugs on the VPN Server (PIX/VPN Concentrator or Cisco IOS® router).

    If the VPN Server is a Cisco VPN 3000 Concentrator, enable these classes with severity to log 1-13:

    • IKE
    • IKEDBG
    • IPSEC

    To enable these, go to Configuration > System > Events > Classes.....

    Note: If there are no messages from the Client, the VPN Client is not communicating with the VPN server.

  2. Make sure that the ISP or any other intermediate device is not blocking User Datagram Protocol (UDP) port 500 use for the Internet Security Association and Key Management Protocol (ISAKMP) negotiation. Also verify that these devices are configured to allow Encapsulating Security Payload (ESP) and Authentication Header (AH).

    These are the ports and protocols necessary for IPSec:

    • ESP. IP Protocol 50
    • AH  Protocol. IP Protocol 51
    • UDP port 500 for ISAKMP
  3. Ensure that the VPN server or any intermediate device is enabled for Port Address Translation (PAT).

    Based on the debug messages from the VPN Concentrator Client, make sure that VPN server and VPN Client are not misconcfigured. Check for group name and user name mismatch, as well as encryption and authentication parameters.

If the problem persisits, contact the Technical Assistance Center (TAC).

For more information, refer to these documents:

Content for Community-Ad