04-29-2009 02:53 AM
Using a Cisco VPN Client 5.0 on a ASA5505 I cannot connect with IPsec. I get the following log on the ASA:
....QM FSM error(P2 struct....etc
....All IPSec sa Proposals found unacceptable!
....Mismatch: Overriding phase2 DH Group(DH group!) with phase 1 group (DH group 2)
....PHASE 1 COMPLETED
AS I understand, authentication is okey, but the client and ASA cannot find a IKE policy to agree on ? I've tried to setup several IKE's (that are listed supported with the Cisco client) but with the same result. Am I looking in the wrong direction here ? help !
Best regards,
/Kristian
PS: if this message is posted more than 1 time - well, the Cisco apache/tomcat system has been seek for the last hours..
04-29-2009 12:27 PM
The logging capabilities on the VPN client are very good. I would set all the facilities to High, try and connect, and review the logs. They are usually pretty straight forward in reporting what is not working.
Hope that helps.
05-01-2009 07:23 AM
Occasionally I've had configurations all of a sudden require AES IKE policy. I found this out by enabling Debugging on the firewall and determining what exactly IKE policies were being sent from the VPN Client and then matched the first one.
05-12-2009 09:45 AM
Make sure PFS is disabled or enabled on bothside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide