Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
3
Replies

Traceroute to vpn concentrator

datsungtir
Level 1
Level 1

‎02-25-2003 08:19 AM - edited ‎02-21-2020 12:22 PM

When trying to connect to a Cisco VPN concentrator through a Checkpoint

firewall (nokia platform with latest service packs )using Cisco VPN client the connection cannot be made.

However if you perform a trace route to the concentrator first it

completes then the next time you try and connect to the concentrator

using vpn client it connects without a problem. Would this be a checkpoint firewall issue?

The external static ip address translation is made on the checkpoint

firewall and it translates to the internal 10. address. Would only the

traceroute trigger the address to be placed into active translations on

the firewall?? The vpn connection times out after 30 minutes then you

have to do another traceroute to get access again.

Any ideas you may have would be greatly appreciated as I do not know much about checkpoint only pix which isn't much help to me!! has this happened to any one else???

Many Thanks

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎02-25-2003 03:24 PM

You probably won't find many CheckPoint experts here either :-)

It does sound like the firewall is the problem though just from your description, in that you have to create the translation first by doing the traceroute before you can get your ISAKMP packets through. It also sounds like the translation times out in the CheckPoint after 30 minutes and then has to be rebuilt again.

I'd be checking the translation table and the logs in the CP after you try and connect your tunnel without doing a traceroute first and see what it says.

0 Helpful

datsungtir
Level 1
Level 1
In response to gfullage

‎02-26-2003 01:01 AM

Don't know if anyoen can help any further but it looks like to me the packet gets through before performing the trace route but the connection does not initiate. Why would there be a duplicate first packet detetected? Why would performing a trace route stop this message??

Below is attempt to connection using the cisco client before I trace route to the concentrator.

3735 02/25/2003 10:21:18.660 SEV=4 IKE/0 RPT=132 195.74.116.176

Duplicate first packet detected!

3736 02/25/2003 10:21:23.670 SEV=4 IKE/0 RPT=133 195.74.116.176

Duplicate first packet detected!

3737 02/25/2003 10:21:28.680 SEV=4 IKE/0 RPT=134 195.74.116.176

Duplicate first packet detected!

Below this point is after a trace route has been completed to the concentrator and then the cisco vpn client connects

3738 02/25/2003 10:21:46.100 SEV=4 IKEDBG/65 RPT=127 195.74.116.176

Group [brunts1]

IKE AM Responder FSM error history (P1 struct &0x1ecea70) , : AM_DONE, EV_ERROR AM_WAIT_MSG3, EV_TIMEOUT AM_WAIT_MSG3, NullEvent AM_SND_MSG2, EV_CRYPTO_ACTIVE

Many Thanks

0 Helpful

se
Level 1
Level 1
In response to datsungtir

‎02-28-2003 02:47 PM

The only time I've seen this 'duplicate first packet detected' error was when I did not have my default gateway configured correctly on my concentrator. Setting the default gateway to the next hop router from the public interface fixed this problem.

Also, you may have a NAT issue. Are you connecting using UDP or TCP?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents