04-21-2011 07:04 AM
I have a 5510 ASA and we have been using the Cisco vpn client on the iPhone 3G for 2 years. Two weeks ago we had a consultant set up a site to site VPN failover on our ASAs. That day the iPhone VPN client stopped working on all of the iPhones. The VPN client on the computers works fine. When I try to log in with the iphone these are the errors I get from the log in the asdm.
5 Apr 20 2011 20:09:02 713119 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, PHASE 1
COMPLETED
5 Apr 20 2011 20:09:02 713904 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, All IPSec
SA proposals found unacceptable!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, QM FSM
error (P2 struct &0xac4459d8, mess id 0xd809f748)!
3 Apr 20 2011 20:09:02 713902 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Removing
peer from correlator table failed, no match!
5 Apr 20 2011 20:09:02 713259 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session is
being torn down. Reason: Phase 2 Mismatch
4 Apr 20 2011 20:09:02 113019 Group = rgrayvpn, Username = jtenny, IP = 166.137.140.21, Session
disconnected. Session Type: IKE, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
I have attached the ASA configs from before he made changes and after he made changes.
I hope someone can help me. I am not very experienced with the ASA (which is why I hired a consultant). I need step by step instructions.
Solved! Go to Solution.
04-21-2011 11:01 AM
If his configuration only broke iPhone vpn connection, yes, that's only thing you need.
per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.
04-21-2011 10:12 AM
I saw your previous configuration had some lan-to-lan vpn as well. Are they still working or not?
He configured a new crypto map and applied it to the outside interface.
In your old crypto map configuration, you have both lan-2-lan and remote access vpn.
But in his new configuration, he just use one dynamic map without the previous lan-2-lan configuration.
But if you would like a quick fix for iPhone, you can just do the following,
no crypto map dyn-map interface outside
crypto dynamic-map cisco 1 set transform-set myset set1
crypto map dyn-map interface outside
04-21-2011 10:17 AM
That is not going to change anythin in the lan to lan
or for the other VPN clients is it?
04-21-2011 10:24 AM
Besides this iPhone vpn issue, did you experience any other issue after the change?
What I suggested in the previous post is to add the transform-set which was used by iPhone. So, it won't impact the other vpn client.
First command will remove the crypto map from outside interface, after you add transform-set back, they you will apply the same crypto map back to the outside interface. VPN would stop working until you re-applying the crypto map back to the outside interface.
04-21-2011 10:46 AM
And that is all I have to put in? No other commands for encryption or any
thing?
04-21-2011 11:01 AM
If his configuration only broke iPhone vpn connection, yes, that's only thing you need.
per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.
04-21-2011 11:47 AM
Thank you very much. It worked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: