Usually indicates the communication between client and concentrator is only going in one direction, probably due to filtering or routing issues.
Basically the VPN client starts a connection and sends an ISAKMP packet to the concentrator. Concentrator receives it, does whatever it does with it, then sends a reply back to the client. This reply however, never makes it back to the client. The client, after 5 seconds of not receiving anything, resends the first packet again. The concentrator receives this packet, determines that it has already received and replied to it, and so drops it and puts a "duplicate first packet" message in the log. If you look at the client log at the same time, you'll probably see it sending out the first packet, then 5 seconds later retransmitting it.
What you need to look for is that the routing table on the concentrator contains the correct routes that would send this reply back out the Public interface. If it sends it out the Private interface (cause that's what its routing table tells it to do), then the reply is never going to get there.
You also need to make sure that UDP port 500 packets are allowed through in both directions, so check any external routers or firewalls to make sure they're not blocking.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :