Well, I have to apologize. I’m certainly not posting as frequently as I used to. Unfortunately between work and studying for the BSCI things have been a little crazy. I’m hoping to get some good posts out of my studies, but I don’t want to bore anyone with hello and dead times for OSPF just yet.
At any rate, I had an interesting issue come up when doing a Cisco easy VPN deployment the other day that I thought I’d share. The headend device was a ASA5510 and the remote was an 831 ISR. During testing the phase 1 SA was getting stuck in a ‘AM_TM_INIT_XAUTH_V6H’ state which I had never seen before. A quick google came back empty so I went to check out what the easy VPN client was doing. The console on the client router was spitting out
‘Pending XAuth Request, Please enter the following command: crypto ipsec client ezvpn xauth’.
So I obliged and entered in the command it suggested which then prompted me for the XAUTH username and password. After I entered in the credentials the tunnel came up just fine.
After doing some research it appeared to me that the client was coming up in what Cisco calls ‘interactive mode’ which requires you to enter the credentials each time the router loads. After verifying that the client was configured for ‘auto mode’ we opened a TAC case. The TAC engineer came back and told us that the client config looked good, and that it was a issue on the ASA. He had me add modify my group policy as follows.
group-policy <Easy VPN Group Policy Name> attributes
password-storage enable
After I added the password storage command we connected once more. On the first connect it again prompted for the username and password. Then on every subsequent reboot the tunnel came up automagically.
Thank you! I upgraded a customer’s old ASA to a newer model and this exact problem popped up. Luckily I’m pretty good with google and I found your post.
I can stop banging my head against the KB now..