Phase 2 no apparent success?

thibaus · ‎07-09-2004

I have this behhavior on the following config:

Cisco VPN client 4.0.4 connecting to a 3030 Concentrator that uses external groups on an ACS with all the policy pushed from there. When I try to connect everything seems to be correct the client does not give any indication of errors yet when I look at the concentrator logs I cannot see any evidence that Phase 2 was actually negociated and was successful. After the connection is initiated no traffic seems to come from the tunnel even though both sides try to send some. Here is the log:

fdessart · ‎07-09-2004

Hello,

do you mean you can connect but no traffic is passing through tunnel?

Regarding Phase2, this should be clearly displayed in vpnclient log (set all log levels to "High").

If Phase2 is ok, then check encryption/decryption counters on both sides (client and concentrator).

It also seems you are using UDP encapsulation (not NAT-T). Is this UDP port opened if there is a firewall in between, and on the filter that is applied to Public interface of concentrator.

Hope this helps.

Francois.

thibaus · ‎07-12-2004

Exactly, I can connect but no traffic is coming through the tunnel, from either side.

A lot of packets are encrypted and sent (apparently, at least the counters say so) from both sides but nothing is received.

I will be checking the filter on the concentrator but the firewall in between does not drop anything.

fdessart · ‎07-12-2004

Something must be blocking packets, like an ACL,...or perhaps the ISP.

thibaus · ‎07-14-2004

The external firewall was blocking all outgoing esp packets and since I don't manage that system it took a while to figure out.

Everythign is in working order now

Thanks for the help.

fdessart · ‎07-14-2004

Thanks for your feedback.

Happy your problem is solved.

Francois.