Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SA520 VPN Gateway unreachable

Hello all,

 

I set up an IPsec VPN connection and everything worked fine. Now I've got the issue that the VPN gateway is not reachable.

 

Here's the log from the client site:

21.03.14 08:23:38  IPSec: Start building connection
21.03.14 08:23:38  IPSec: DNSREQ: resolving GW=<*********.dyndns.org> over lan:
21.03.14 08:23:39  IPSec: DNSREQ resolved vpn ipadr=***.***.***.***
21.03.14 08:23:39  Ike: Outgoing connect request AGGRESSIVE mode - gateway=***.***.***.*** : VPNCONNECTION
21.03.14 08:23:39  Ike: XMIT_MSG1_AGGRESSIVE - VPNCONNECTION
21.03.14 08:24:17  ERROR - 4021: IKE(phase1) - Could not contact Gateway (No response) in state <Wait for Message 2> - VPNCONNECTION.
21.03.14 08:24:17  Ike: phase1:name(VPNCONNECTION) - ERROR - retry timeout - max retries
21.03.14 08:24:17  IPSec: Disconnected from VPNCONNECTION on channel 1.

 

On the VPN/ SA520 site I see nothing inside the IPsec log but it worked, definitly! So it's really strange. What could be the reason, any ideas or comparable threads (didn't found something in this case)?

 

Please let me know if you need more/detailed information.

Thank you for your ahead of time!

3 REPLIES
Hall of Fame Super Silver

You tell us that it was

You tell us that it was working and now it is not working. So something must have changed.

 

My first step would be to verify that the VPN gateway is actually on line and available.

 

I notice that it looks like your client is configured to use a name for the VPN gateway. So my next step would be to verify if the DNS lookup is working correctly. Does the IP address that your client gets match up correctly with the IP address currently used on the VPN gateway.

 

If the address from DNS is correct then I would check for IP connectivity between your client and the VPN gateway. I would probably start with something like ping to the address of the VPN gateway.

 

You might also want to check on the possibility that something is filtering out your requests. Are you trying to initiate the VPN from the place where it did work before or are you perhaps in a different place which might have different traffic filters in place?

 

HTH

 

Rick

New Member

Hello Richard, thank you for

Hello Richard,

 

thank you for your reply!

- checked the VPN gateway, it's on line and available

- DNS lockup is fine and the IP adress machted up correctly (compared with DynamicDNS inside SA520 console and directly on dyndns.org)

- I'm able to ping the DNS name and the IP adress

 

I had a call with my provider - on their site nothing is blocked. So I think you could be right and something is blocked on my device directly or something filtering the VPN gateway requests out.

 

Thanks,

Sascha.

Hall of Fame Super Silver

Sascha Thank you for the

Sascha

 

Thank you for the additional information. It is helpful to know that the Gateway is on line and available, and that the name lookup is correct, and that your device can successfully ping the Gateway. I would suggest that the next step might be to contact the administrator of the Gateway and ask them if anything has changed on the Gateway. Also ask if they see anything in their logs about your connection attempt.

 

You might try running debug crypto isakmp. But I suspect that it will only show that you are sending a request and not receiving a response from the Gateway. You might request that the administrator of the Gateway schedule a test with you in which they would run debug crypto isakmp and hope that this would show the cause of the problem.

 

HTH

 

Rick

399
Views
4
Helpful
3
Replies
CreatePlease login to create content