Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dumb question???

I am working on implementing a VPN solution and am having problems connecting from the outside world. Using client 3.6.x, I get the following reply when I try to connect:

2459 12/18/2002 09:19:40.160 SEV=5 IKEDBG/64 RPT=170 xxx.xxx.xxx.xx

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: False

2461 12/18/2002 09:19:45.180 SEV=4 IKE/0 RPT=103 xxx.xxx.xxx.xx

Duplicate first packet detected!

2462 12/18/2002 09:19:50.190 SEV=4 IKE/0 RPT=104 xxx.xxx.xxx.xx

Duplicate first packet detected!

2463 12/18/2002 09:19:55.190 SEV=4 IKE/0 RPT=105 xxx.xxx.xxx.xx

Duplicate first packet detected!

2464 12/18/2002 09:20:12.380 SEV=4 IKEDBG/65 RPT=136 xxx.xxx.xxx.xx

Group [XXXX]

IKE AM Responder FSM error history (struct &0x5ed0034)

<state>, <event>:

AM_DONE, EV_ERROR_CONT

AM_DONE, EV_ERROR

AM_WAIT_MSG3, EV_TIMEOUT

AM_WAIT_MSG3, NullEvent

I am not sure why this is happening or how to get around this problem. I am using a CISCO 3015 and my software is current.

Any help??? Thanks!

Ray Rockholt

3 REPLIES
Cisco Employee

Re: Dumb question???

Hi Ray,

From the logs looks like the IKE packet are not reaching the client and the client is resending the request again and again.

Where is the user connecting from ?? If the user is behind a Firewall, make sure that the necessary ports and protocols are open and if the user is behind a PAT device, make sure to use IPSec Over UDP or TCP option.

Regards,

Arul

New Member

Re: Dumb question???

The clients are connecting through a dial-up connection. No firewall is in the picture.

I have IPSec configured correctly - just can't figure it out???

Thanks for the reply - any other thoughts???

Ray

Cisco Employee

Re: Dumb question???

The "Duplicate first packet detected" simply means the reply the concentrator sent back to the client didn't make it, and so the client has timed out and resent the first ISAKMP packet. The concentrator detects this as a duplicate packet and complains.

You have to see why the packet from the concentrator to the client didn't get there. Is there a personal firewall on the PC? Is there a router/firewall on the outside of this concentrator with access-lists applied? If you connect this PC into the outside interface subnet of the concentrator, does the connection work then? Do you have a default route on the concentrator set to the IP address of the outside router?

104
Views
0
Helpful
3
Replies
CreatePlease to create content