[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1304
  • Last Modified:

Phase-2 retransmission count exceeded

Hi,

We are not able to connect to our VPN concentrator using VPN client 5.0 from some particular locations.

we are getting the below log in client

Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

1      10:14:47.828  09/08/11  Sev=Info/4      CM/0x63100002
Begin connection process

2      10:14:47.843  09/08/11  Sev=Info/4      CM/0x63100004
Establish secure connection

3      10:14:47.843  09/08/11  Sev=Info/4      CM/0x63100024
Attempt connection with server "vpn.mycompany.com"

4      10:14:47.921  09/08/11  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 125.30.45.16.

5      10:14:47.921  09/08/11  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      10:14:47.921  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 125.30.45.16

7      10:14:47.953  09/08/11  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      10:14:47.953  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      10:14:48.312  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

10     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 125.30.45.16

11     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

12     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

13     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports DPD

14     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

15     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

16     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

17     10:14:48.312  09/08/11  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

18     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 125.30.45.16

19     10:14:48.312  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

20     10:14:48.312  09/08/11  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x04BC, Remote Port = 0x1194

21     10:14:48.312  09/08/11  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

22     10:14:48.312  09/08/11  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     10:14:48.546  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

24     10:14:48.546  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 125.30.45.16

25     10:14:48.546  09/08/11  Sev=Info/4      CM/0x63100015
Launch xAuth application

26     10:14:48.703  09/08/11  Sev=Info/6      GUI/0x63B00012
Authentication request attributes is Bh.

27     10:14:58.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

28     10:15:00.578  09/08/11  Sev=Info/4      CM/0x63100017
xAuth application returned

29     10:15:00.578  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

30     10:15:03.500  09/08/11  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 125.30.45.16

31     10:15:03.500  09/08/11  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 125.30.45.16

32     10:15:03.500  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

33     10:15:03.500  09/08/11  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

34     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

35     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

36     10:15:03.546  09/08/11  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Sygate Security Agent, Capability= (Are you There?).

37     10:15:03.546  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 125.30.45.16

38     10:15:08.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

39     10:15:08.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

40     10:15:08.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

41     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

42     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

43     10:15:13.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

44     10:15:13.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366585

45     10:15:18.468  09/08/11  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

46     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

47     10:15:18.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366586

48     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

49     10:15:18.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 125.30.45.16

50     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 125.30.45.16

51     10:15:23.968  09/08/11  Sev=Info/6      IKE/0x6300003D
Sending DPD request to 125.30.45.16, our seq# = 2187366587

52     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=D5191667

53     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=5C7AAA989771EA3B R_Cookie=1DCD2FB8674891D0) reason = DEL_REASON_IKE_NEG_FAILED

54     10:15:23.968  09/08/11  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 125.30.45.16

55     10:15:26.968  09/08/11  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=5C7AAA989771EA3B R_Cookie=1DCD2FB8674891D0) reason = DEL_REASON_IKE_NEG_FAILED

56     10:15:26.968  09/08/11  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

57     10:15:26.968  09/08/11  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

58     10:15:26.984  09/08/11  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

59     10:15:26.984  09/08/11  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

60     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

61     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

62     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

63     10:15:27.984  09/08/11  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped


its working fine from most of the locations but only from few locations its not working is there any thing we have to change in concentrator....??
0
amitabhg
Asked:
amitabhg
  • 4
  • 3
1 Solution
 
arnoldCommented:
It might be that those locations are blocking the response.
See whether evens on the Cisco concentrator match the events on the VPN client from this location.
Presumably the same system with cisco vpn client 5 taken to another location works without a hitch.
Please confirm that the LOCAL LAN IPs in this location do not overlap with the IPs behind the VPN.

i.e. your VPN Office LAN are 172.16.0.0 255.255.252.0 192.168.0.0 255.255.255.0
And unfortunately in the location where there is an issue you have a local IP segment of 172.18.12.0 255.255.255.0.

netstat -rn
ipconfig /all
from the local system at those locations.
0
 
amitabhgAuthor Commented:
Hi Arnold,

TanQ for your reply

at our end we are using 10.125.0.0/16

in the hotel they are getting 10.0.0.10 ip for the laptop.

what we can do in this situation...?? is there any alternative to resolve this issue.

Thanks
0
 
arnoldCommented:
What is the netmask? 255.0.0.0? Default gateway?
What is the IP range for the VPN IP assigned to the vpn client?

Does the VPN uses split-tunnel to only secure the specific VPN LAN networks, or does the VPN secures all?

http://www.techrepublic.com/article/fix-10-common-cisco-vpn-problems/5913811
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
amitabhgAuthor Commented:
sorry for the delay

netmask is 255.255.255.0 gateway is 10.0.0.1

we are not using split tunnel we are allowing only few networks through VPN.

Thanks
Durga
0
 
arnoldCommented:
split tunnel is how you allow few networks. Currently if you do not set split-tunnel specified networks, all traffic is sent through the VPN tunnel.
look at the client routing table.
look on the computer's routing table netstat -rn.
Is the default gateway referencing the VPN IP?
0
 
amitabhgAuthor Commented:
Hi Arnold,

this issue has been resolved after upgrading the client software from 5.05 to 5.07.

thanks for your support
0
 
amitabhgAuthor Commented:
Arnold is given clear picture about VPN client
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now