would be helpful if you can

VICKIE BROWN · ‎03-20-2015

Log of IPsec VPN client shows :

CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

IKE/0x6300005E Client sending a firewall request to concentrator

[DOES NOT RECEIVE IKE/0x6300005D Firewall Policy: Product=Cisco Systems Integrated Client

Firewall, capability=(Centralized Protection Policy)]

IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to n.n.n.n

IKE/0x63000021 Retransmitting last packet!

Target ASA syslog shows:

[DOES NOT SHOW %ASA-5-713119 PHASE 1 COMPLETED]

%ASA-5-713201 Duplicate Phase 2 packet detected. Retransmitting last packet.

Can someone offer a theory to explain this ?

manish arora · ‎03-20-2015

would be helpful if you can post the sanitized version of your Firewall's configuration ?

thanks

Manish

VICKIE BROWN · ‎03-23-2015

Unfortunately I can't post more than I already have. If I knew the protocol/port for a "firewall request" and a "Firewall Policy" response, I could check firewalls for blocks.

manish arora · ‎03-23-2015

Hi Vickie,

I would check the following on the FW :

1> Make sure your Transform Set has no more than 1 rule set in it.

For example : It should be like :

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

And Not like :

crypto map outside_map 11 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

2> Your Split tunnel is configured correctly ( You are using Standard ACL).

3> Add the following :

crypto ipsec security-association replay window-size 1024

HTH

Manish Arora

IKE v1 failing between IPsec VPN client and ASA 9.1(5)12