Solved

Phase-2 retransmission count exceeded

Posted on 2011-09-07
7
1,218 Views
Last Modified: 2012-06-21
Hi,

We are not able to connect to our VPN concentrator using VPN client 5.0 from some particular locations.

we are getting the below log in client

Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

1      10:14:47.828  09/08/11  Sev=Info/4      CM/0x63100002
Begin connection process

2      10:14:47.843  09/08/11  Sev=Info/4      CM/0x63100004
Establish secure connection

3      10:14:47.843  09/08/11  Sev=Info/4      CM/0x63100024
Attempt connection with server "vpn.mycompany.com"

4      10:14:47.921  09/08/11  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 125.30.45.16.

5      10:14:47.921  09/08/11  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      10:14:47.921  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 125.30.45.16

7      10:14:47.953  09/08/11  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      10:14:47.953  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      10:14:48.312  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

10     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 125.30.45.16

11     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

12     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

13     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports DPD

14     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

15     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

16     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

17     10:14:48.312  09/08/11  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

18     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 125.30.45.16

19     10:14:48.312  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

20     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x04BC, Remote Port = 0x1194

21     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

22     10:14:48.312  09/08/11  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     10:14:48.546  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

24     10:14:48.546  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 125.30.45.16

25     10:14:48.546  09/08/11  Sev=Info/4      CM/0x63100015
Launch xAuth application

26     10:14:48.703  09/08/11  Sev=Info/6      GUI/0x63B00012
Authentication request attributes is Bh.

27     10:14:58.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

28     10:15:00.578  09/08/11  Sev=Info/4      CM/0x63100017
xAuth application returned

29     10:15:00.578  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

30     10:15:03.500  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

31     10:15:03.500  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 125.30.45.16

32     10:15:03.500  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

33     10:15:03.500  09/08/11  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

34     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

35     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

36     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Sygate Security Agent, Capability= (Are you There?).

37     10:15:03.546  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

38     10:15:08.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

39     10:15:08.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

40     10:15:08.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

41     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

42     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

43     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

44     10:15:13.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366585

45     10:15:18.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

46     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

47     10:15:18.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366586

48     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

49     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

50     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

51     10:15:23.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366587

52     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=D5191667

53     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=5C7AAA989771EA3B R_Cookie=1DCD2FB8674891D0) reason = DEL_REASON_IKE_NEG_FAILED

54     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 125.30.45.16

55     10:15:26.968  09/08/11  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=5C7AAA989771EA3B R_Cookie=1DCD2FB8674891D0) reason = DEL_REASON_IKE_NEG_FAILED

56     10:15:26.968  09/08/11  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

57     10:15:26.968  09/08/11  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

58     10:15:26.984  09/08/11  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

59     10:15:26.984  09/08/11  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

60     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

61     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

62     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

63     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped


its working fine from most of the locations but only from few locations its not working is there any thing we have to change in concentrator....??
0
Comment
Question by:amitabhg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 36505054
It might be that those locations are blocking the response.
See whether evens on the Cisco concentrator match the events on the VPN client from this location.
Presumably the same system with cisco vpn client 5 taken to another location works without a hitch.
Please confirm that the LOCAL LAN IPs in this location do not overlap with the IPs behind the VPN.

i.e. your VPN Office LAN are 172.16.0.0 255.255.252.0 192.168.0.0 255.255.255.0
And unfortunately in the location where there is an issue you have a local IP segment of 172.18.12.0 255.255.255.0.

netstat -rn
ipconfig /all
from the local system at those locations.
0
 

Author Comment

by:amitabhg
ID: 36508199
Hi Arnold,

TanQ for your reply

at our end we are using 10.125.0.0/16

in the hotel they are getting 10.0.0.10 ip for the laptop.

what we can do in this situation...?? is there any alternative to resolve this issue.

Thanks
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 36510673
What is the netmask? 255.0.0.0? Default gateway?
What is the IP range for the VPN IP assigned to the vpn client?

Does the VPN uses split-tunnel to only secure the specific VPN LAN networks, or does the VPN secures all?

http://www.techrepublic.com/article/fix-10-common-cisco-vpn-problems/5913811
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 

Author Comment

by:amitabhg
ID: 36542718
sorry for the delay

netmask is 255.255.255.0 gateway is 10.0.0.1

we are not using split tunnel we are allowing only few networks through VPN.

Thanks
Durga
0
 
LVL 78

Expert Comment

by:arnold
ID: 36542855
split tunnel is how you allow few networks. Currently if you do not set split-tunnel specified networks, all traffic is sent through the VPN tunnel.
look at the client routing table.
look on the computer's routing table netstat -rn.
Is the default gateway referencing the VPN IP?
0
 

Author Comment

by:amitabhg
ID: 36567263
Hi Arnold,

this issue has been resolved after upgrading the client software from 5.05 to 5.07.

thanks for your support
0
 

Author Closing Comment

by:amitabhg
ID: 36567271
Arnold is given clear picture about VPN client
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question