VPN client connection problems.

mrballan007 · ‎09-10-2006

Hello all,

We have a VPN 3020 with approx 200 clients connecting with the Cisco VPN client ver 4.8.00.0440.

The majority of the time all users can connect fine. However in some locations the vpn client does not prompt for authentication details. The user can then go to another location (eg.home) and the vpn connection will work correctly.

In the VPN 3k logs we see.

28846 09/11/2006 11:30:20.000 SEV=5 IKEDBG/64 RPT=5277 ip address

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

A successfull connection shows.

28790 09/11/2006 10:32:25.640 SEV=5 IKEDBG/64 RPT=5255 ip address

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

28792 09/11/2006 10:32:38.760 SEV=4 AUTH/22 RPT=9084 ip address

User [username] Group [groupname] connected, Session Type: IPSec

28793 09/11/2006 10:32:38.770 SEV=3 IKE/133 RPT=4551 ip address

Group [groupname] User [username]

Mismatch: Overriding phase 2 DH Group(DH group 1) with phase 1 group(DH group 2)

Has anyone come across this problem before and if so how did they fix it?

Thankyou in advance.

smalkeric · ‎09-15-2006

The meaning of the message is that the configured Phase 2 PFS Group differs from the DH group that was negotiated for phase one . This is just an informational message and no action is necessary.