Showing results for 
Search instead for 
Did you mean: 

Ridiculous ASA5505 OSX Problem

Level 1
Level 1

So this is wild.  I took an ASA5505 out of the box and upgrade the firmware to 8.4.(2)8.  I used the VPN wizard to build an IPSEC remote access VPN.  I test with a win7 full cisco client and it works (test from a virtual machine using a wireless connection on the host), i test with my iphone running IOS 5 .0.1 and it works.  I test with a laptop running snow leopard 10.7.2 and the same wireless connection from above and it cannot negotiate.  If i plug directly into the ASA5505 and try to VPN it connects instantly.

Below is the config, i'm completely baffled here.

Result of the command: "sh run"

: Saved


ASA Version 8.4(2)8


hostname ciscoasa

enable password QSM0mlnK8RBz4RL9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute


ftp mode passive

object network obj_any


object network NETWORK_OBJ_10.1.2.0_25


pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool kay mask

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.1.2.0_25 NETWORK_OBJ_10.1.2.0_25 no-proxy-arp route-lookup


object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


group-policy kay internal

group-policy kay attributes

dns-server value

vpn-tunnel-protocol ikev1

username test password P4ttSyrm33SV8TYp encrypted

tunnel-group kay type remote-access

tunnel-group kay general-attributes

address-pool kay

default-group-policy kay

tunnel-group kay ipsec-attributes

ikev1 pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


: end

1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

Hi brookkaren

I agree this seems weird but it's hard to say what's wrong without more information.

I would suggest to start with enabling these debugs on the ASA:

debug crypto ipsec  10

debug crypto ikev1  10

debug crypto ike-common 10

as well as checking the client logs (see the "log" tab, you can increase the logging level in the "logging" menu).