01-04-2013 11:29 AM
I have some multiple remote nodes but one has recently stopped connecting. I've checked the configuration on both ends and compared to the other nodes which are working fine. The configs are identical yet this one still won't establish an IPSEC connection.
This is what is being logged in the Concentrator:
63929 01/03/2013 20:04:10.210 SEV=5 IKE/172 RPT=3505 XXX.XXX.XXX.XXX
Group [XXX.XXX.XXX.XXX]
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
63933 01/03/2013 20:04:10.310 SEV=4 IKE/92 RPT=2707 XXX.XXX.XXX.XXX
Group [XXX.XXX.XXX.XXX]
Failure during phase 1 rekeying attempt due to collision
This is what's being logged on the remote node:
2013-01-04 11:19:50 ipsec tfSadbRecordCKFindStateAction: No matching SA found
I've checked the settings for the ISAKMP Lifetime and both ends are set at 86400.
Anyone have any ideas for troubleshooting?
01-04-2013 12:21 PM
Hi,
This is a real long shot from my part and only an attempt to get the discussion going on.
I have barely any expirience regarding VPN Concentrators. If you are for example talking about Cisco 3000 series VPN Concentrators (or whatever is their offical name)
What is the device type at the remote location?
Perhaps if the remote end is either PIX or ASA we could get some debugs of the L2L VPN negotiations that could shed some light on the problem.
Even though you say that the configurations match the messages seem to suggest that the devices negotiating cant find matching policys? I have no idea what the "collision" messages refers to.
Have you tried to perhaps reconfigure the connection on the remote end device? Has there been any configuration changes that might in some way affect this connection also? (maybe some setting changed thats shared by multiple connection profiles/groups)
- Jouni
01-04-2013 01:50 PM
The device at the other end is a Digi cellular modem. We have about 2 dozen of these in total connected to the Concentrator. There's no options for debugging on the remote end. We compared extensively to the others which are working. We've tried to variations on the configuration but still no joy. No config changes on either end and this has been working for a couple years. We were thinking about replacing the remote end unit with a spare we have on hand.
01-06-2013 07:46 AM
it think vith a vpn you have to have to same make for both vpn server and modem i don't think you can use a different companys product like mirsoft with a cisco vpn server look at this video on youtube VPN - Virtual Private Networking
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide