Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
733
Views
0
Helpful
1
Replies

VPN client passes phase1, fails on phase2

mpferderer
Level 1
Level 1

‎12-11-2003 10:40 AM - edited ‎02-21-2020 12:57 PM

Hi,

I'm trying to connect a VPN client 4.0.3(C) to a PIX506. The PIX 506 has 3 other PIX501s already connecting to it statically as well as 2 501s dynamically.

Here is the client log just a bit before it establishes phase 1 all the way to the end:

244 09:17:09.026 12/11/03 Sev=Info/4 IKE/0x63000082

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

245 09:17:09.026 12/11/03 Sev=Info/5 IKE/0x63000071

Automatic NAT Detection Status:

Remote end IS behind a NAT device

This end IS behind a NAT device

246 09:17:09.026 12/11/03 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

247 09:17:09.026 12/11/03 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

248 09:17:09.056 12/11/03 Sev=Info/5 IKE/0x6300005D

Client sending a firewall request to concentrator

249 09:17:09.056 12/11/03 Sev=Info/5 IKE/0x6300005C

Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

250 09:17:09.056 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 60.122.144.158

251 09:17:10.879 12/11/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 60.122.144.158

252 09:17:10.879 12/11/03 Sev=Warning/2 IKE/0xE3000099

Responder cookie must be empty (PacketReceiver:765)

253 09:17:14.214 12/11/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

254 09:17:14.214 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 60.122.144.158

255 09:17:19.221 12/11/03 Sev=Info/6 IKE/0x63000054

Sent a keepalive on the IPSec SA

256 09:17:19.221 12/11/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

257 09:17:19.221 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 60.122.144.158

258 09:17:23.968 12/11/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 60.122.144.158

259 09:17:23.968 12/11/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (Retransmission) from 60.122.144.158

260 09:17:23.968 12/11/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

261 09:17:23.968 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(Retransmission) to 60.122.144.158

262 09:17:24.228 12/11/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

263 09:17:24.228 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 60.122.144.158

264 09:17:29.235 12/11/03 Sev=Info/6 IKE/0x63000054

Sent a keepalive on the IPSec SA

265 09:17:29.235 12/11/03 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=9F7E0889

266 09:17:29.235 12/11/03 Sev=Info/6 IKE/0x6300003D

Sending DPD request to 60.122.144.158, seq# = 2183134406

267 09:17:29.235 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 60.122.144.158

268 09:17:29.235 12/11/03 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=D3F857F72C3D4B11 R_Cookie=646CC86ACB63E826) reason = DEL_REASON_IKE_NEG_FAILED

269 09:17:29.235 12/11/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 60.122.144.158

270 09:17:32.240 12/11/03 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=D3F857F72C3D4B11 R_Cookie=646CC86ACB63E826) reason = DEL_REASON_IKE_NEG_FAILED

271 09:17:32.240 12/11/03 Sev=Info/4 CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

272 09:17:32.240 12/11/03 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

273 09:17:32.270 12/11/03 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

274 09:17:32.280 12/11/03 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

275 09:17:32.290 12/11/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

276 09:17:32.290 12/11/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

277 09:17:32.290 12/11/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

278 09:17:32.290 12/11/03 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

279 12:22:44.278 12/11/03 Sev=Info/6 IKE/0x6300006F

Stateful Firewall (Always On) was started.

280 12:22:56.716 12/11/03 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command

281 12:22:57.097 12/11/03 Sev=Info/4 PPP/0x6320000D

Retrieved 8 dial entries

Can anyone tell me what may be wrong?

Thank you,

Mike

Labels:
0 Helpful
1 Reply 1

jbayuka
Level 5
Level 5

‎12-17-2003 01:03 PM

check all your IPSec parametres on both side of the network. THis could be because of simple parametre mismtch.

0 Helpful
Customers Also Viewed These Support Documents