I have a 5510 ASA and we have been using the Cisco vpn client on the iPhone 3G for 2 years. Two weeks ago we had a consultant set up a site to site VPN failover on our ASAs. That day the iPhone VPN client stopped working on all of the iPhones. The VPN client on the computers works fine. When I try to log in with the iphone these are the errors I get from the log in the asdm.
5 Apr 20 2011 20:09:02 713119 Group = rgrayvpn, Username = jtenny, IP = 188.8.131.52, PHASE 1
5 Apr 20 2011 20:09:02 713904 Group = rgrayvpn, Username = jtenny, IP = 184.108.40.206, All IPSec
SA proposals found unacceptable!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 220.127.116.11, QM FSM
error (P2 struct &0xac4459d8, mess id 0xd809f748)!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 18.104.22.168, Removing
peer from correlator table failed, no match!
5 Apr 20 2011 20:09:02 713259 Group = rgrayvpn, Username = jtenny, IP = 22.214.171.124, Session is
being torn down. Reason: Phase 2 Mismatch
4 Apr 20 2011 20:09:02 113019 Group = rgrayvpn, Username = jtenny, IP = 126.96.36.199, Session
disconnected. Session Type: IKE, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
I have attached the ASA configs from before he made changes and after he made changes.
I hope someone can help me. I am not very experienced with the ASA (which is why I hired a consultant). I need step by step instructions.
Solved! Go to Solution.
I saw your previous configuration had some lan-to-lan vpn as well. Are they still working or not?
He configured a new crypto map and applied it to the outside interface.
In your old crypto map configuration, you have both lan-2-lan and remote access vpn.
But in his new configuration, he just use one dynamic map without the previous lan-2-lan configuration.
But if you would like a quick fix for iPhone, you can just do the following,
no crypto map dyn-map interface outside
crypto dynamic-map cisco 1 set transform-set myset set1
crypto map dyn-map interface outside
Besides this iPhone vpn issue, did you experience any other issue after the change?
What I suggested in the previous post is to add the transform-set which was used by iPhone. So, it won't impact the other vpn client.
First command will remove the crypto map from outside interface, after you add transform-set back, they you will apply the same crypto map back to the outside interface. VPN would stop working until you re-applying the crypto map back to the outside interface.