Solved

Phase-2 retransmission count exceeded

Posted on 2011-09-07
7
1,181 Views
Last Modified: 2012-06-21
Hi,

We are not able to connect to our VPN concentrator using VPN client 5.0 from some particular locations.

we are getting the below log in client

Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

1      10:14:47.828  09/08/11  Sev=Info/4      CM/0x63100002
Begin connection process

2      10:14:47.843  09/08/11  Sev=Info/4      CM/0x63100004
Establish secure connection

3      10:14:47.843  09/08/11  Sev=Info/4      CM/0x63100024
Attempt connection with server "vpn.mycompany.com"

4      10:14:47.921  09/08/11  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 125.30.45.16.

5      10:14:47.921  09/08/11  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      10:14:47.921  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 125.30.45.16

7      10:14:47.953  09/08/11  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      10:14:47.953  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      10:14:48.312  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

10     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 125.30.45.16

11     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

12     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

13     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports DPD

14     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

15     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

16     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

17     10:14:48.312  09/08/11  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

18     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 125.30.45.16

19     10:14:48.312  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

20     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x04BC, Remote Port = 0x1194

21     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

22     10:14:48.312  09/08/11  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     10:14:48.546  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

24     10:14:48.546  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 125.30.45.16

25     10:14:48.546  09/08/11  Sev=Info/4      CM/0x63100015
Launch xAuth application

26     10:14:48.703  09/08/11  Sev=Info/6      GUI/0x63B00012
Authentication request attributes is Bh.

27     10:14:58.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

28     10:15:00.578  09/08/11  Sev=Info/4      CM/0x63100017
xAuth application returned

29     10:15:00.578  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

30     10:15:03.500  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

31     10:15:03.500  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 125.30.45.16

32     10:15:03.500  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

33     10:15:03.500  09/08/11  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

34     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

35     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

36     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Sygate Security Agent, Capability= (Are you There?).

37     10:15:03.546  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

38     10:15:08.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

39     10:15:08.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

40     10:15:08.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

41     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

42     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

43     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

44     10:15:13.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366585

45     10:15:18.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

46     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

47     10:15:18.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366586

48     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

49     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

50     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

51     10:15:23.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366587

52     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=D5191667

53     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=5C7AAA989771EA3B R_Cookie=1DCD2FB8674891D0) reason = DEL_REASON_IKE_NEG_FAILED

54     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 125.30.45.16

55     10:15:26.968  09/08/11  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=5C7AAA989771EA3B R_Cookie=1DCD2FB8674891D0) reason = DEL_REASON_IKE_NEG_FAILED

56     10:15:26.968  09/08/11  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

57     10:15:26.968  09/08/11  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

58     10:15:26.984  09/08/11  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

59     10:15:26.984  09/08/11  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

60     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

61     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

62     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

63     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped


its working fine from most of the locations but only from few locations its not working is there any thing we have to change in concentrator....??
0
Comment
Question by:amitabhg
  • 4
  • 3
7 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 36505054
It might be that those locations are blocking the response.
See whether evens on the Cisco concentrator match the events on the VPN client from this location.
Presumably the same system with cisco vpn client 5 taken to another location works without a hitch.
Please confirm that the LOCAL LAN IPs in this location do not overlap with the IPs behind the VPN.

i.e. your VPN Office LAN are 172.16.0.0 255.255.252.0 192.168.0.0 255.255.255.0
And unfortunately in the location where there is an issue you have a local IP segment of 172.18.12.0 255.255.255.0.

netstat -rn
ipconfig /all
from the local system at those locations.
0
 

Author Comment

by:amitabhg
ID: 36508199
Hi Arnold,

TanQ for your reply

at our end we are using 10.125.0.0/16

in the hotel they are getting 10.0.0.10 ip for the laptop.

what we can do in this situation...?? is there any alternative to resolve this issue.

Thanks
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 36510673
What is the netmask? 255.0.0.0? Default gateway?
What is the IP range for the VPN IP assigned to the vpn client?

Does the VPN uses split-tunnel to only secure the specific VPN LAN networks, or does the VPN secures all?

http://www.techrepublic.com/article/fix-10-common-cisco-vpn-problems/5913811
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:amitabhg
ID: 36542718
sorry for the delay

netmask is 255.255.255.0 gateway is 10.0.0.1

we are not using split tunnel we are allowing only few networks through VPN.

Thanks
Durga
0
 
LVL 76

Expert Comment

by:arnold
ID: 36542855
split tunnel is how you allow few networks. Currently if you do not set split-tunnel specified networks, all traffic is sent through the VPN tunnel.
look at the client routing table.
look on the computer's routing table netstat -rn.
Is the default gateway referencing the VPN IP?
0
 

Author Comment

by:amitabhg
ID: 36567263
Hi Arnold,

this issue has been resolved after upgrading the client software from 5.05 to 5.07.

thanks for your support
0
 

Author Closing Comment

by:amitabhg
ID: 36567271
Arnold is given clear picture about VPN client
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now