Solved: Re: iPhone vpn client stopped working

julietennyson · ‎04-21-2011

I have a 5510 ASA and we have been using the Cisco vpn client on the iPhone 3G for 2 years. Two weeks ago we had a consultant set up a site to site VPN failover on our ASAs. That day the iPhone VPN client stopped working on all of the iPhones. The VPN client on the computers works fine. When I try to log in with the iphone these are the errors I get from the log in the asdm.

5 Apr 20 2011 20:09:02 713119 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, PHASE 1

COMPLETED

5 Apr 20 2011 20:09:02 713904 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, All IPSec

SA proposals found unacceptable!

3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, QM FSM

error (P2 struct &0xac4459d8, mess id 0xd809f748)!

3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Removing

peer from correlator table failed, no match!

5 Apr 20 2011 20:09:02 713259 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session is

being torn down. Reason: Phase 2 Mismatch

4 Apr 20 2011 20:09:02 113019 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session

disconnected. Session Type: IKE, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

I have attached the ASA configs from before he made changes and after he made changes.

I hope someone can help me. I am not very experienced with the ASA (which is why I hired a consultant). I need step by step instructions.

Yudong Wu · ‎04-21-2011

If his configuration only broke iPhone vpn connection, yes, that's only thing you need.

per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.

View solution in original post

Yudong Wu · ‎04-21-2011

I saw your previous configuration had some lan-to-lan vpn as well. Are they still working or not?

He configured a new crypto map and applied it to the outside interface.

In your old crypto map configuration, you have both lan-2-lan and remote access vpn.

But in his new configuration, he just use one dynamic map without the previous lan-2-lan configuration.

But if you would like a quick fix for iPhone, you can just do the following,

no crypto map dyn-map interface outside

crypto dynamic-map cisco 1 set transform-set myset set1

crypto map dyn-map interface outside

julietennyson · ‎04-21-2011

That is not going to change anythin in the lan to lan

or for the other VPN clients is it?

Yudong Wu · ‎04-21-2011

Besides this iPhone vpn issue, did you experience any other issue after the change?

What I suggested in the previous post is to add the transform-set which was used by iPhone. So, it won't impact the other vpn client.

First command will remove the crypto map from outside interface, after you add transform-set back, they you will apply the same crypto map back to the outside interface. VPN would stop working until you re-applying the crypto map back to the outside interface.

julietennyson · ‎04-21-2011

And that is all I have to put in? No other commands for encryption or any

thing?

Yudong Wu · ‎04-21-2011

If his configuration only broke iPhone vpn connection, yes, that's only thing you need.

per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.

julietennyson · ‎04-21-2011

Thank you very much. It worked.