Logged into the ASA and checking logs while attempting a connection showed valid Phase 1 completing, but this error stuck out:

Skipping dynamic map XXX sequence XX: cannot match peerless map when peer found in previous map entry.

I knew I had seen this before and couldn’t remember the solution offhand, but the interesting bit was “peer found in previous map entry”.

In this instance, the network I was working from already had a site-to-site VPN tunnel to the customer (but for separate/unrelated subnets, hence needing the VPN client).

The issue here is that the ASA recognizes my public IP as already being associated with the site-to-site VPN, but can’t match it to the incoming VPN client requests, causing the client connection to fail.

We can work around this issue by updating the dynamic cryptomap in use:

Verify the dynamic cryptomap in use, in my case it was outside_dyn_map. Checking this configuration found the typical snippet for a VPN client:

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

By simply adding another entry in the dynamic match, but specifying the peer of the site-to-site VPN, we can allow both VPN client and site-to-site to coexist:

crypto dynamic-map outside_dyn_map 10 set peer X.X.X.X
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000