VPN does not connect to only user, stops at "Negotiating Policies"

Unanswered Question
Nov 22nd, 2008
User Badges:
  • Silver, 250 points or more

I have Cisco 515E ver 6.3, on which I configured remote vpn client profile. All of my 5 clients were able to access my LAN with the remote vpn client profile for all these years. After I upgraded to ver 7.0, Out of 5, One of my client trying to connect Cisco PIX using the vpn dialer, but it stops after "Negotiating Policies". Any Idea. This problem happens only when he is connecting in the following Order.

Laptop-------->Belkin wireless Router---------->Nokia Siemens Router---------->Internet-------->Cisco PIX---------->My LAN

Debug information on PIX during this time

Nov 21 13:33:26 x.x.x.x %PIX-5-713201: Group = remoteclient, IP = x.x.x.x, Duplicate Phase 2 packet detected. Retransmitting last packet

Nov 21 13:33:31 x.x.x.x %PIX-5-713201: Group = remoteclient, IP = x.x.x.x, Duplicate Phase 2 packet detected. Retransmitting last packet.

For other users when they connect directly through the Broad band router who access from different location does have problem.

I was not able to get any idea with the log number on cisco site :-(

This setup was same, when I had ver.6.3 running, during that time he was able to connect & access but not after upgrading my pix ver 7.0. SO as a temporary fix, he was able to connect in this following manner.

Laptop-------->Nokia Siemens Router---------->Internet-------->Cisco PIX---------->My LAN

IP Address Details

Belkin Wi-fi LAN -

Nokia Siemens LAN -

My LAN -

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yvannpaillet Mon, 11/24/2008 - 00:37
User Badges:


I have the same materiel with you

pix 515E ver 6.3 but i can not connect with my vpn client, i have the following message:

Secure vpn connection terminated localy by client raison 413

yvannpaillet Mon, 11/24/2008 - 00:42
User Badges:

i did forget, please would you like to send my your config so that i could compare with my own config.

many thinks

Jason Gervia Tue, 11/25/2008 - 06:59
User Badges:
  • Cisco Employee,


Check to make sure that 'crypto isakmp nat-traversal' is enabled, and that udp 4500 is allowed from the client to the pix/ASA.


This Discussion