Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
3
Replies

Cisco vpn client error during radius authetication

mbalasubramanian
Level 1
Level 1

‎04-13-2004 04:21 AM

Hi,

WE have a pix 515E running FOS 6.2(2)...we have a VPN client configured in xauth and ike config mode..we also have a site to site peer using preshared only and with exceptions for the above defined,running on the same external interface

Site to site is ok,but our VPN client gives error when we enable xauth in the config

"ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet." and terminates user authentication failed

What could be the problem

Help deeply appreciated

Thanks and regards

Labels:
0 Helpful
3 Replies 3

jasobrown
Level 1
Level 1

‎04-13-2004 08:26 AM

What is your XAUTH? LOCAL? RADIUS?

If it is a Radius server do you see the attempt in the Radius logs?

Can you put a post a portion of your config?

0 Helpful

mbalasubramanian
Level 1
Level 1
In response to jasobrown

‎04-13-2004 10:59 PM

Xauth is radius

YEs we see the response in the radius server but it gives a top of loop response after it searches the database and contacts the client(pix) and gives failure.The username/password combination is valid

Meanwhile we get the debugs as stated ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet

"WE also have 2 isakmp policies

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400"

what would an error

Checking ISAKMP transform 5 against priority 1 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

with respect to

ISAKMP: encryption... What? 7?

and finally

it agrees on

ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

when i dont have 3des configured in the policy

Can someone throw some light

Thanx and regards

0 Helpful

lchen2
Level 1
Level 1
In response to mbalasubramanian

‎04-14-2004 10:04 AM

"phase 2 packet is a duplicate of a previous packet " means the client had passed the isakmp policy phase (phase 1). Something wrong with the xauth (phase 2). Try to use the LOCAL authen for the xauth. If that works ok with LOCAL, something wrong b/t the Radius server and the client. If you are using MS IAS Server, make sure the only PAP is checked for the authentication protocol.

0 Helpful
Customers Also Viewed These Support Documents