Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Dumb question???

I am working on implementing a VPN solution and am having problems connecting from the outside world. Using client 3.6.x, I get the following reply when I try to connect:

2459 12/18/2002 09:19:40.160 SEV=5 IKEDBG/64 RPT=170

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

2461 12/18/2002 09:19:45.180 SEV=4 IKE/0 RPT=103

Duplicate first packet detected!

2462 12/18/2002 09:19:50.190 SEV=4 IKE/0 RPT=104

Duplicate first packet detected!

2463 12/18/2002 09:19:55.190 SEV=4 IKE/0 RPT=105

Duplicate first packet detected!

2464 12/18/2002 09:20:12.380 SEV=4 IKEDBG/65 RPT=136

Group [XXXX]

IKE AM Responder FSM error history (struct &0x5ed0034)

<state>, <event>:




AM_WAIT_MSG3, NullEvent

I am not sure why this is happening or how to get around this problem. I am using a CISCO 3015 and my software is current.

Any help??? Thanks!

Ray Rockholt

Cisco Employee

Re: Dumb question???

Hi Ray,

From the logs looks like the IKE packet are not reaching the client and the client is resending the request again and again.

Where is the user connecting from ?? If the user is behind a Firewall, make sure that the necessary ports and protocols are open and if the user is behind a PAT device, make sure to use IPSec Over UDP or TCP option.



New Member

Re: Dumb question???

The clients are connecting through a dial-up connection. No firewall is in the picture.

I have IPSec configured correctly - just can't figure it out???

Thanks for the reply - any other thoughts???


Cisco Employee

Re: Dumb question???

The "Duplicate first packet detected" simply means the reply the concentrator sent back to the client didn't make it, and so the client has timed out and resent the first ISAKMP packet. The concentrator detects this as a duplicate packet and complains.

You have to see why the packet from the concentrator to the client didn't get there. Is there a personal firewall on the PC? Is there a router/firewall on the outside of this concentrator with access-lists applied? If you connect this PC into the outside interface subnet of the concentrator, does the connection work then? Do you have a default route on the concentrator set to the IP address of the outside router?

CreatePlease to create content