Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site vpn between cisco and notrtel

I am using cisco pix and in other end they are using net nortel. i am trying to configure site to site VPN using pre shared key and i am getting

phase 1 duplicate packate

on other end (nortel) they are getting invalid cookies


Re: site to site vpn between cisco and notrtel

Hi sujeet

Can you post the config here and the exact error logs your are getting over there in your router..

Though i m not sure about the config at the nortel end , have you gone thru the product specs about IKE config , IPSEC config limitations with the nortel device??

This could be a possible reason of interoperability issues between the devices.


Cisco Employee

Re: site to site vpn between cisco and notrtel

Hello Sujeet,

The duplicate first packet is an indication that the remote end is resending the initialization offer to your PIX. This means that there is a general disconnect in UDP 500 somewhere between the two peers. This is very often caused by UDP 500 being blocked.

In this case, it sounds as though the Nortel is the initiator of the tunnel. It kicks off the exchange by sending MainMode packet #1 (MM1). The PIX likely receives it, processes it, and sends a reply (MM2) to the Nortel. The Nortel never gets that packet though. We know this, because it resends MM1, as made evident by the duplicate first packet detected message.

So the first place to look is to see if UDP 500 is being blocked on the way back into the Nortel side.

Other possibilities might be that phase 1 attributes are not matching up (if the exchange is failing after MM2). The debugs from the PIX and correponding Nortel logs should paint a clear picture of exactly where the exchange breaks down.


CreatePlease to create content