Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traceroute to vpn concentrator

When trying to connect to a Cisco VPN concentrator through a Checkpoint

firewall (nokia platform with latest service packs )using Cisco VPN client the connection cannot be made.

However if you perform a trace route to the concentrator first it

completes then the next time you try and connect to the concentrator

using vpn client it connects without a problem. Would this be a checkpoint firewall issue?

The external static ip address translation is made on the checkpoint

firewall and it translates to the internal 10. address. Would only the

traceroute trigger the address to be placed into active translations on

the firewall?? The vpn connection times out after 30 minutes then you

have to do another traceroute to get access again.

Any ideas you may have would be greatly appreciated as I do not know much about checkpoint only pix which isn't much help to me!! has this happened to any one else???

Many Thanks

3 REPLIES
Cisco Employee

Re: Traceroute to vpn concentrator

You probably won't find many CheckPoint experts here either :-)

It does sound like the firewall is the problem though just from your description, in that you have to create the translation first by doing the traceroute before you can get your ISAKMP packets through. It also sounds like the translation times out in the CheckPoint after 30 minutes and then has to be rebuilt again.

I'd be checking the translation table and the logs in the CP after you try and connect your tunnel without doing a traceroute first and see what it says.

New Member

Re: Traceroute to vpn concentrator

Don't know if anyoen can help any further but it looks like to me the packet gets through before performing the trace route but the connection does not initiate. Why would there be a duplicate first packet detetected? Why would performing a trace route stop this message??

Below is attempt to connection using the cisco client before I trace route to the concentrator.

3735 02/25/2003 10:21:18.660 SEV=4 IKE/0 RPT=132 195.74.116.176

Duplicate first packet detected!

3736 02/25/2003 10:21:23.670 SEV=4 IKE/0 RPT=133 195.74.116.176

Duplicate first packet detected!

3737 02/25/2003 10:21:28.680 SEV=4 IKE/0 RPT=134 195.74.116.176

Duplicate first packet detected!

Below this point is after a trace route has been completed to the concentrator and then the cisco vpn client connects

3738 02/25/2003 10:21:46.100 SEV=4 IKEDBG/65 RPT=127 195.74.116.176

Group [brunts1]

IKE AM Responder FSM error history (P1 struct &0x1ecea70) , : AM_DONE, EV_ERROR AM_WAIT_MSG3, EV_TIMEOUT AM_WAIT_MSG3, NullEvent AM_SND_MSG2, EV_CRYPTO_ACTIVE

Many Thanks

se
New Member

Re: Traceroute to vpn concentrator

The only time I've seen this 'duplicate first packet detected' error was when I did not have my default gateway configured correctly on my concentrator. Setting the default gateway to the next hop router from the public interface fixed this problem.

Also, you may have a NAT issue. Are you connecting using UDP or TCP?

432
Views
0
Helpful
3
Replies