04-13-2004 04:21 AM
Hi,
WE have a pix 515E running FOS 6.2(2)...we have a VPN client configured in xauth and ike config mode..we also have a site to site peer using preshared only and with exceptions for the above defined,running on the same external interface
Site to site is ok,but our VPN client gives error when we enable xauth in the config
"ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet." and terminates user authentication failed
What could be the problem
Help deeply appreciated
Thanks and regards
04-13-2004 08:26 AM
What is your XAUTH? LOCAL? RADIUS?
If it is a Radius server do you see the attempt in the Radius logs?
Can you put a post a portion of your config?
04-13-2004 10:59 PM
Xauth is radius
YEs we see the response in the radius server but it gives a top of loop response after it searches the database and contacts the client(pix) and gives failure.The username/password combination is valid
Meanwhile we get the debugs as stated ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet
"WE also have 2 isakmp policies
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400"
what would an error
Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
with respect to
ISAKMP: encryption... What? 7?
and finally
it agrees on
ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
when i dont have 3des configured in the policy
Can someone throw some light
Thanx and regards
04-14-2004 10:04 AM
"phase 2 packet is a duplicate of a previous packet " means the client had passed the isakmp policy phase (phase 1). Something wrong with the xauth (phase 2). Try to use the LOCAL authen for the xauth. If that works ok with LOCAL, something wrong b/t the Radius server and the client. If you are using MS IAS Server, make sure the only PAP is checked for the authentication protocol.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide