I set up an IPsec VPN connection and everything worked fine. Now I've got the issue that the VPN gateway is not reachable.
Here's the log from the client site:
21.03.14 08:23:38 IPSec: Start building connection 21.03.14 08:23:38 IPSec: DNSREQ: resolving GW=<*********.dyndns.org> over lan: 21.03.14 08:23:39 IPSec: DNSREQ resolved vpn ipadr=***.***.***.*** 21.03.14 08:23:39 Ike: Outgoing connect request AGGRESSIVE mode - gateway=***.***.***.*** : VPNCONNECTION 21.03.14 08:23:39 Ike: XMIT_MSG1_AGGRESSIVE - VPNCONNECTION 21.03.14 08:24:17 ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - VPNCONNECTION. 21.03.14 08:24:17 Ike: phase1:name(VPNCONNECTION) - ERROR - retry timeout - max retries 21.03.14 08:24:17 IPSec: Disconnected from VPNCONNECTION on channel 1.
On the VPN/ SA520 site I see nothing inside the IPsec log but it worked, definitly! So it's really strange. What could be the reason, any ideas or comparable threads (didn't found something in this case)?
Please let me know if you need more/detailed information.
You tell us that it was working and now it is not working. So something must have changed.
My first step would be to verify that the VPN gateway is actually on line and available.
I notice that it looks like your client is configured to use a name for the VPN gateway. So my next step would be to verify if the DNS lookup is working correctly. Does the IP address that your client gets match up correctly with the IP address currently used on the VPN gateway.
If the address from DNS is correct then I would check for IP connectivity between your client and the VPN gateway. I would probably start with something like ping to the address of the VPN gateway.
You might also want to check on the possibility that something is filtering out your requests. Are you trying to initiate the VPN from the place where it did work before or are you perhaps in a different place which might have different traffic filters in place?
Thank you for the additional information. It is helpful to know that the Gateway is on line and available, and that the name lookup is correct, and that your device can successfully ping the Gateway. I would suggest that the next step might be to contact the administrator of the Gateway and ask them if anything has changed on the Gateway. Also ask if they see anything in their logs about your connection attempt.
You might try running debug crypto isakmp. But I suspect that it will only show that you are sending a request and not receiving a response from the Gateway. You might request that the administrator of the Gateway schedule a test with you in which they would run debug crypto isakmp and hope that this would show the cause of the problem.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...