James, make sure that the client's certificate has got the same OU field as the name of the tunnel-group (e.g. you should have OU=EZgroup2 in the certificate that you use to connect via Cisco VPN Client).
Additionally, can you post ISAKMP debugs from Cisco ASA? Marta Sokolowska.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
