Core issue
This issue usually occurs because of these two reasons:
- Mismatch in group name and password on Cisco VPN client
- Dynamic map not properly configured on headend device
Resolution
In order to resolve this issue, make sure this is properly configured:
- The group name and password on Cisco VPN client must match with the group name and password configured on the headend device.
- Dynamic map must be configured and binded to outside interface. Refer to How to configure dynamic maps in a PIX 500 series Firewall with software version PIX 7.x ? in order to learn more about dynamic maps.
Note: With Cisco VPN client version 4.6.x and later, the maximum pre-shared key length for the VPN Client is 128 characters. The previous limit was 32 characters. The increased key size works only with central-site devices that support 128 characters, for example, an ASA device.
If the central-site device does not support 128 characters, for example, a VPN 3000 Concentrator, you receive the same log messages as if the pre-shared key were wrong:
386 15:39:39.010 03/30/05 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
387 15:39:39.010 03/30/05 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
Client Location on Network with PIX
Outside
VPN Protocols
Pre-shared key