03-20-2015 02:22 PM - edited 02-21-2020 08:08 PM
Log of IPsec VPN client shows :
CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
IKE/0x6300005E Client sending a firewall request to concentrator
[DOES NOT RECEIVE IKE/0x6300005D Firewall Policy: Product=Cisco Systems Integrated Client
Firewall, capability=(Centralized Protection Policy)]
IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to n.n.n.n
IKE/0x63000021 Retransmitting last packet!
Target ASA syslog shows:
[DOES NOT SHOW %ASA-5-713119 PHASE 1 COMPLETED]
%ASA-5-713201 Duplicate Phase 2 packet detected. Retransmitting last packet.
Can someone offer a theory to explain this ?
03-20-2015 04:12 PM
would be helpful if you can post the sanitized version of your Firewall's configuration ?
thanks
Manish
03-23-2015 07:59 AM
Unfortunately I can't post more than I already have. If I knew the protocol/port for a "firewall request" and a "Firewall Policy" response, I could check firewalls for blocks.
03-23-2015 03:32 PM
Hi Vickie,
I would check the following on the FW :
1> Make sure your Transform Set has no more than 1 rule set in it.
For example : It should be like :
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
And Not like :
crypto map outside_map 11 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
2> Your Split tunnel is configured correctly ( You are using Standard ACL).
3> Add the following :
crypto ipsec security-association replay window-size 1024
HTH
Manish Arora
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide