Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
0
Helpful
5
Replies

ISP Change Breaks VPN connectivity

ricksharp7
Level 1
Level 1

‎11-12-2005 07:03 AM

Yesturday, my office changed ISP's for the office network. With both ISP's we have a static IP. After the change, I updated our Pix 501 with the new IP/Gateway/Netmask etc.

Everything works with our new ISP (NAT, inbound and outbound rules) except for incoming VPN connections. We are using the Cisco VPN client version 4.0.5.

When we try to connect, there are several errors in the client's log, including:

113 09:58:28.859 11/12/05 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 68.191.235.75

114 09:58:28.859 11/12/05 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)

122 09:58:48.984 11/12/05 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=7B547781

127 09:59:18.984 11/12/05 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=9E21D7B4888AE395 R_Cookie=BCEB70FBDCF2CE50) reason = DEL_REASON_PEER_NOT_RESPONDING

There is nothing in the Pix PDM log. We have been successfully connecting to this firewall VPN for three months prior. Again, the only configuration change was the ISP info.

Attempting to crrect the problem, we have tried CLEAR XLATE, power cycling the PIX, and creating a new VPN account.

Any input on this would be appreciated.

Labels:
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎11-12-2005 07:15 AM

although it's very unusual, however you may need to verify with the new isp as the isp may have restriction on the vpn traffic.

0 Helpful

ricksharp7
Level 1
Level 1
In response to jackko

‎11-12-2005 01:54 PM

I called their tech support, and they are telling me that nothing is blocked.

Attached is our configuration and the connection log from the client. Sensitive info has been replaced by .

Preview file
11 KB
0 Helpful

jackko
Level 7
Level 7
In response to ricksharp7

‎11-12-2005 02:52 PM

couple things you may try. firstly, try applying "isakmp identity address" on the pix.

further, it is not recommended to overlap the vpn client pool and the pix inside net.

0 Helpful

ricksharp7
Level 1
Level 1
In response to ricksharp7

‎11-12-2005 03:00 PM

Problem Solved: Oddly enough, a second power-cycle of the firewall cleared up the problem.

Thanks for the help!

0 Helpful

jackko
Level 7
Level 7
In response to ricksharp7

‎11-12-2005 03:03 PM

i thought v6.3.4 is very stable. anyhow, it's good to learn that your issue has been resolved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents