Cisco ASA VPN logs

In order for a VPN connection to establish the IPSec Connection Profile must match exactly and is case-sensitive. Whilst trying to troubleshoot a recent VPN connection, from the client I would hit connect however, the connection would soon fail and the Cisco client logs didn’t give me much information.

When I checked the Cisco ASA logs this is what displayed:

Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv’d: Group 2  Cfg’d: Group 5

Group = DefaultRAGroup, IP = x.x.x.x, constructing ISAKMP SA payload

Group = DefaultRAGroup, IP = x.x.x.x, Received an un-encrypted INVALID_HASH_INFO notify message, dropping

Group = DefaultRAGroup, IP = x.x.x.x, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.

I could see that there was a mismatch in the IPSec Connection Profile and after confirming the pre-shared key was correct, I checked the name of the IPSec Connection Profile and discovered that the casing was different. The connection was failing at this level and proceeded to try to use a default Group which failed.

After making the case changes, I received an authentication box and the connection successfully established.

The IPSec Connection Profile name is case-sensitive.