Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
3
Replies

VPN Concentrator L2L tunnel failure

mfurst_aphysci
Level 1
Level 1

‎01-04-2013 11:29 AM

I have some multiple remote nodes but one has recently stopped connecting. I've checked the configuration on both ends and compared to the other nodes which are working fine. The configs are identical yet this one still won't establish an IPSEC connection.

This is what is being logged in the Concentrator:

63929 01/03/2013 20:04:10.210 SEV=5 IKE/172 RPT=3505 XXX.XXX.XXX.XXX

Group [XXX.XXX.XXX.XXX]

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end is NOT behind a NAT device

63933 01/03/2013 20:04:10.310 SEV=4 IKE/92 RPT=2707 XXX.XXX.XXX.XXX

Group [XXX.XXX.XXX.XXX]

Failure during phase 1 rekeying attempt due to collision

This is what's being logged on the remote node:

2013-01-04 11:19:50 ipsec      tfSadbRecordCKFindStateAction: No matching SA found

I've checked the settings for the ISAKMP Lifetime and both ends are set at 86400.

Anyone have any ideas for troubleshooting?

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎01-04-2013 12:21 PM

Hi,

This is a real long shot from my part and only an attempt to get the discussion going on.

I have barely any expirience regarding VPN Concentrators. If you are for example talking about Cisco 3000 series VPN Concentrators (or whatever is their offical name)

What is the device type at the remote location?

Perhaps if the remote end is either PIX or ASA we could get some debugs of the L2L VPN negotiations that could shed some light on the problem.

Even though you say that the configurations match the messages seem to suggest that the devices negotiating cant find matching policys? I have no idea what the "collision" messages refers to.

Have you tried to perhaps reconfigure the connection on the remote end device? Has there been any configuration changes that might in some way affect this connection also? (maybe some setting changed thats shared by multiple connection profiles/groups)

- Jouni

0 Helpful

mfurst_aphysci
Level 1
Level 1
In response to Jouni Forss

‎01-04-2013 01:50 PM

The device at the other end is a Digi cellular modem. We have about 2 dozen of these in total connected to the Concentrator. There's no options for debugging on the remote end. We compared extensively to the others which are working. We've tried to variations on the configuration but still no joy. No config changes on either end and this has been working for a couple years. We were thinking about replacing the remote end unit with a spare we have on hand.

0 Helpful

eoinbarra
Level 1
Level 1
In response to mfurst_aphysci

‎01-06-2013 07:46 AM

it think vith a vpn you have to have to same make for both vpn server and modem i don't think you can use a different companys product like mirsoft with a cisco vpn server look at this video on youtube VPN - Virtual Private Networking

elithecomputerguy

0 Helpful
Customers Also Viewed These Support Documents