Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN Issues

I am having problems using Anyconnect,  I have a remote access vpn configured but I am unable to login to the vpn as there is no option to define group based authentication or to specify a username, the only option I get is to provide a key.

The client connects (although showing the (Attribute is unacceptable, next payload is 0 error) and shows up in

sh crypto isakmp sa

and  but then gets the ISAKMP purging error and kicks the client.

The settings are as follows, any help is appreciated by this noob.


aaa new-model


aaa authentication login mylist local


aaa authorization network mynet local


username admin password admin


crypto isakmp policy 1

        encryption 3des
        hash md5
        authentication pre-share
        group 2

ip local pool VPNPOOL


crypto isakmp client configuration group mygroup
                 key mykey123
                pool VPNPOOL


crypto ipsec transform-set set1 esp-3des esp-md5-hmac


crypto dynamic-map map1 10

       set transform-set set1

crypto map map1 client configuration address respond

crypto map map1 client authentication list mylist

crypto map map1 isakmp authorization list mynet

crypto map map1 10 ipsec-isakmp dynamic map1


interface fastEthernet 0/0
crypto map map1


Accepted Solutions

@samipk1234 Yes they are referring to the same thing. You should just define the FQDN of the FlexVPN router as "routername.sami.local" and get this signed by your CA dc1-khi.sami.local.

View solution in original post

Rob Ingram
VIP Mentor


You've configured authentication as PSK, if you are using AnyConnect you'll need to use either certificates or EAP (username/password). Use one of the following guides on how to configure a Remote Access VPN on a Cisco IOS router.


@Rob IngramThank you for the help and this is exactly what I needed, I am using the below link


but I am confused about one thing, this guide refers to another guide in the middle saying


Refer to steps 1 through 4 in ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example, and change all instances of crypto ca to crypto pki.


But I don't have an ASA so should I follow these steps or not as steps 1 to 4 are referring to ASDM and I obviously dont have it as I dont have ASA.

@samipk1234 Instead of providing you with the commands for the router, they provided the ASA commands which are similar. Just follow the CLI commands, replace "crypto ca" with "crypto pki".  Obviously ignore the ASDM commands, just start from the "Command Line example".

Or here is an alternative example to generate certificates for FlexVPN, with the correct commands for the router.

@Rob IngramThanks for the clarification, a few questions though:


1. The guide is not clear whether there Radius server should also be a Certificate Authority or just configuring a Radius server will be enough?

2. It refers to randomly without explaining whether its the CA or just a random name given ?


I am sorry to bother you this much but this is helping me immensly.



Hi @samipk1234 no problem, glad to help.


The RADIUS servers does not need to be a CA, these are just roles the server provides and probably just happen to be the same server in this example.


"" is just the CN in the certificate, this is used to provide a unique identity when authenticating.



 @Rob Ingram Thank you sir for your continuous support, the picture is getting a lot better in my head on what to do, just a question :


My ad domain is Sami.local so in this case do I have to create a sub domain Of flex-hub.sami.local in order to follow the tutorial example of flex-hub or is this sub domain just for reference purposes/alias and will not be used to authenticate the domain user’s connection to the VPN?

@samipk1234 you don't need to create a sub domain sami.local is your domain name, so you'll just issue a certificate to flex-hub.sami.local.


The important thing is the client must trust the certificate issued to the router.

@Rob Ingram @Thank you sir for your reply, my last question before I get busy with the lab is that in the Asa settings page it’s is using the fqdn of and in the other it is used as I just wanted to be clear these are the same(just used in different blogs) so I can use either one of them for configuration in both examples right?
Also my CA is dc1-Khi.sami .local so I should be using that in its place?

@samipk1234 Yes they are referring to the same thing. You should just define the FQDN of the FlexVPN router as "routername.sami.local" and get this signed by your CA dc1-khi.sami.local.

View solution in original post

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (38%)

Content for Community-Ad