I ran into this issue recently while trying to make a Remote Access VPN work on a Cisco ASA 5505 firewall. The VPN had been working at one point but was rarely used. When the end user tried to use it again they kept getting the following error.
Now this error could occur for many reasons. Including a firewall on the client side that is blocking the necessary UDP or TCP ports, or, an unstable internet connection, such as a mobile connection. But in my particular case it was actually a configuration issue on the firewall itself.
On this particular firewall there was a NAT statement that was translating everything from interface to a server on the private network. The syntax looked something like this.
static (inside,outside) tcp interface DALEK-KHAN mask 255.255.255.255
I’m not really a big fan of the interface syntax. The interface syntax is specified when you want to use the IP attached to the outside interface for PAT (Port Address Translation). I prefer to use a dedicated public IP for my Cisco device and keep address translation on their own IPs. However, for various reasons, whether it be cost prohibitive, or, limited provider plans, there is a definite need for this syntax.
The problem with our code was that every TCP port was being translated from the external interface to an internal server. Even the ports required for VPN connectivity! This was the cause of our error.
Removing this NAT statement, and replacing it with just the PAT statements that the server actually needed, freed up the necessary VPN ports. So, for our server DALEK-KHAN, let’s make him a webserver, our code would end up looking like this.
static (inside,outside) tcp interface 80 DALEK-KHAN 80
static (inside,outside) tcp interface 443 DALEK-KHAN 443
We saved the config, hit the connect button on our VPN client, and (Hey! Presto!) we connected.
Hope this helps! I would love to hear your fixes on this error as well.