Usually indicates the communication between client and concentrator is only going in one direction, probably due to filtering or routing issues.

Basically the VPN client starts a connection and sends an ISAKMP packet to the concentrator. Concentrator receives it, does whatever it does with it, then sends a reply back to the client. This reply however, never makes it back to the client. The client, after 5 seconds of not receiving anything, resends the first packet again. The concentrator receives this packet, determines that it has already received and replied to it, and so drops it and puts a "duplicate first packet" message in the log. If you look at the client log at the same time, you'll probably see it sending out the first packet, then 5 seconds later retransmitting it.

What you need to look for is that the routing table on the concentrator contains the correct routes that would send this reply back out the Public interface. If it sends it out the Private interface (cause that's what its routing table tells it to do), then the reply is never going to get there.

You also need to make sure that UDP port 500 packets are allowed through in both directions, so check any external routers or firewalls to make sure they're not blocking.