Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN CLient 3.6 and IOS Router Version 12.2(8)T5


I got a problem after I have established the connection from Client to Router. The connection will just disconnect itself with the following debug error:-

"death by retransmission P2" after a series of "incrementing error counter on sa: retransmit phase 2"

I am using isakmp with authentication rsa-sig. The client can connect to the router with no visible problem but with the debug, the above error occurs and after a few seconds, the "show crypto isakmp sa" will have no entries. But "show crypto ipsec sa" will have entries. Then after a while, The client will auto-disconnect itself even traffic is running thru the tunnel.

Then when I switch to authentication pre-shared, there is NO problem at all. No errors on the debug. I only added a key to the group profile and on the policy just add "authentication preshare". And it works. No problem like the above.

I believe it is not a configuration problem. Maybe it is a bug with authentication rsa-sig. Can anyone tell me why? Could it be a CA problem. I am using Microsoft 2000 server and my CA. I installed mscep on it. My clients and router uses url to enroll the certificates. Not a problem with that.

Please give me some advice on this because I do not want to do authentication pre-share.



  • Other Security Subjects
Cisco Employee

Re: VPN CLient 3.6 and IOS Router Version 12.2(8)T5

Hi Adrian,

Seems like a good option to troubleshoot with a Cisco TAC Engineer and then if you guys can reproduce this issue with all the debugs a bug can be opened up, in case one doesn't exist or is being worked on by the development team.

Hope this helps,


Aamir Waheed,

Cisco Systems, Inc.