I got a problem after I have established the connection from Client to Router. The connection will just disconnect itself with the following debug error:-
"death by retransmission P2" after a series of "incrementing error counter on sa: retransmit phase 2"
I am using isakmp with authentication rsa-sig. The client can connect to the router with no visible problem but with the debug, the above error occurs and after a few seconds, the "show crypto isakmp sa" will have no entries. But "show crypto ipsec sa" will have entries. Then after a while, The client will auto-disconnect itself even traffic is running thru the tunnel.
Then when I switch to authentication pre-shared, there is NO problem at all. No errors on the debug. I only added a key to the group profile and on the policy just add "authentication preshare". And it works. No problem like the above.
I believe it is not a configuration problem. Maybe it is a bug with authentication rsa-sig. Can anyone tell me why? Could it be a CA problem. I am using Microsoft 2000 server and my CA. I installed mscep on it. My clients and router uses url to enroll the certificates. Not a problem with that.
Please give me some advice on this because I do not want to do authentication pre-share.
Re: VPN CLient 3.6 and IOS Router Version 12.2(8)T5
Seems like a good option to troubleshoot with a Cisco TAC Engineer and then if you guys can reproduce this issue with all the debugs a bug can be opened up, in case one doesn't exist or is being worked on by the development team.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...