[vpn-help] VPN no longer connects after ASA upgraded to 8.3(2)

Cory Bell bellcr at gmail.com
Tue Mar 26 09:31:38 CDT 2013

VPN Client Version: 2.1.7-release and 2.2.0-rc-2
Windows OS Version: 7
Gateway Make/Model: Cisco ASA
Gateway OS Version: 8.3(2)

I've got a couple of ASAs that were both on 8.2(5) and working fine
with ShrewSoft 2.1.7. Recently, I upgraded one of them to 8.3(2) and
now the ShrewSoft client can no longer connect. I'm aware of the
"unidirectional" nat exclusion issue in 8.3(2) and have already
corrected it. The official Cisco client is able to connect, as is vpnc
on Linux and the integrated Cisco-compatible client in Mac OS X. The
same ShrewSoft clients that can't connect to the 8.3(2) ASA can still
connect to the 8.2(5) ASA (the tunnel-groups are identical).

There's nothing exotic about my configuration, just your standard
IKEv1 with XAuth-PSK auth and NAT-T encapsulation. It's virtually
identical to the Cisco ASA example on the Support page, except that
the example is from a pretty old ASA version.

I see two different failure modes - sometimes the ASA shows a "Failure
during phase 1 rekeying attempt due to collision" error and
immediately sends a DELETE to the client, at which point the
connection is terminated. Other times, the client will seemingly hang
after sending multiple config requests. I also gave the ShrewSoft
2.2.0-rc-2 client a try, and it behaves exactly the same.

Cisco TAC was about as helpful as you might expect, so I'm hoping
someone else has been through this and had better luck. I'm happy to
provide sanitized logs if it will help identify the issue. Thanks!

More information about the vpn-help mailing list