Duplicate first detected package - VPN 3005

Similar Questions

• Can a VPN 3005 cause multiple IP addresses on the external interface?

  Nice day

  Can a VPN 3005 cause several IPS on an external interface?

  I expect to use it in an environment that has 2 ADSL connections to an internet service provider. For the sake of the exercise, we could call them ROUTER1 and ROUTER2.

  We have a few VPN we always want to spend by ROUTER1 and some VPN we always want going through ROUTER2.

  Is this possible?

  Thank you very much

  No, not possible, sorry.

• Client VPN vs VPN 3005 concentrator using the Dial - up Internet GPRS connection

  Hello!

  I'm in trouble by using the GPRS Internet connection. I installed a VPN Client to connect to our VPN 3005 and it works fine but only using a V.90 Internet Dial-up regular connection. When I use GPRS I have access to the Internet, my VPN Client to connect successfully to the VPN3005, but I get no access to the Remote LAN (not even the ping test!). Can the overhead of 3DES cause something to do with this topic?

  Kind regards

  Russ

  I also activated the udp encapsulation mode, however I notice that the success rate for the vpn full implementation of IKE (complete Exchange of keys and connection) is only abt 50% of no. some trys. I wonder if you have such an experience... Not sure it's because of the latency in GPRS.

• VPN 3005 remote access concentrator

  I inherited 2 VPN 3005 one in production with a weird config, probably because the one who set up was having a similar problem. The other I'm trying to configure correctly and will then move users who him. It has a public IP address and the private port has an address on the local network. I have installed a swimming pool with a different subnet. My client connects but cannot get on the local network. I ping the local of the 3005 but nothing past interface.

  Thank you

  Eric

  Hello

  As I understand it, the tunnel is to establish properly (so no problem on the VPN config).

  If you check under surveillance | Sessions make you see the session to set up remote access? Also see packets received/transmitted?

  I would check that the internal LAN has a default gateway pointing to the internal IP address of the hub (or at least a route to access) to be able to send packets to the VPN clients.

  Federico.

• Router VPN 3005 and 7500

  Hi all

  Could you someboy help me on that?

  I have a network like this:

  Internet Internet

  | |

  router VPN - 3005

  |

  Internal

  I can set up Lan to Lan VPN 3005 and other PIX aside, but I can't ping internal network with the back of my internal network. I've already put the static route to the subnet of setbacks in the router and my subnet route internal VPN. What should I do? Thanks in advance.

  Banlan

  in fact the 3000 can do a ping will depend on your network-lists / lists access so that my not be a relevant question.

• Update IOS for vpn 3005

  I use this version of ios on vpn 3005:

  vpn3005 - 4.0.4.A - k9.bin

  What is the upgrade that I need to perform:

  vpn3005 - 4.1.7.O - k9.bin GOLD

  vpn3005 - 4.7.2.I - k9.bin

  Please advise,

  Aurélie neslie

  Yanic,

  In your case, you can improve is updated the VPN3005 to 4.1 or 4.7 and both should be OK. Make sure you have enough RAM to upgrade to 4.1 code or 4.7 and read the detailed release notes to avoid surprises

  Release notes:

  4.1

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/4_1/417fcn3k.htm#wp28723

  4.7

  http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/vpn3000/4_7/472con3k.htm

  I hope it helps.

  Kind regards

  Arul

  * Please note all useful messages *.

• PIX 515e VPN 3005 concentrator cannot pass phase 1

  My list of vpn access increases, so I know that it is correct. IM testing with ping. Debug configurations and follow. Remote location through VPN connection attempt with THE. Thanks to all who can help. His failure in the first phase which means configuration mess up, but I can't find a miss-match for me? Maybe ive been looking at this for a long time.

  Pix515e config:

  ----------------

  Crypto ipsec transform-set esp - esp-md5-hmac aptset

  aptmap 10 ipsec-isakmp crypto map

  aptmap 10 correspondence address vpn crypto card

  card crypto aptmap 10 peers set yyy.xxx.xxx.131

  card crypto aptmap 10 transform-set aptset

  aptmap interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address yyy.xxx.xxx.131 netmask 255.255.255.255

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Debugs ipsec, isakmp, ca

  -------------------------

  Peer VPN: ISAKMP: approved new addition: ip:yyy.xxx.xxx.131 Total VPN peer: 1

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt is incremented to peers: 1 Total peer VPN: 1

  ISAKMP (0): early changes of Main Mode

  ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.

  local (identity) = zzz.xxx.xxx.226, distance = yyy.xxx.xxx.131,

  local_proxy = 192.168.33.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 192.168.65.0/255.255.255.0/0/0 (type = 4)

  ISAKMP (0): retransmission of phase 1...

  ISAKMP (0): delete SA: src zzz.xxx.xxx.226 dst yyy.xxx.xxx.131

  ISADB: Reaper checking HIS 0x81377ad8, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt decremented to peers: 0 Total of VPN peer: 1

  Peer VPN: ISAKMP: deleted peer: ip:yyy.xxx.xxx.131 VPN peer Total: 0

  results of ' show crypto isamkp his. "

  -----------------------------------

  Total: 1

  Embryonic: 1

  Src DST in the meantime created State

  YYY.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0

  Error messages on the concentrator 3005

  ------------------------------------

  11:14:47.640 57 07/01/2004-SEV = 4 RPT IKE/48 = 23 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  11:15:02.770 58 07/01/2004-SEV = 4 RPT IKE/48 = 24 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  3005 page concentrator Lan-To-Lan settings

  -----------------------

  Activated

  External interface

  Answer only

  YYY.xxx.xxx.226 peer

  Digital cert: no (use preshared keys)

  Transmission of the CERT: (full certification chain)

  Preshared key: {same on pix}

  AUTH: esp, md5, hmac-128

  encryption: des-56

  proposal of IKE: IKE-DES-MD5

  Filter: none

  IPSec NAT - T not verified

  No bandwidth policy

  Routing: no

  I noticed that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with-although I'm not positive, as I have only used with 3des. Diffie-Hellman Group1 should work with simple.

  In any case, recheck the config vpn 3000 to see if a group and life expectancy have been speced on config. If not, or if you are not sure, then remove the two outside the pix and run the command of his clear cry on the pix. Then try again and let me know what you find.

• Cannot access Internet on VPN 3005 concentrator

  I installed a new concentrator 3005. I am able to connect using the Cisco VPN client. Everything seems to work except the Internet. I am able to access everything in the local network, including local intranet Web pages. If I try to access Web pages on the outside, it does not. Any ideas?

  OK, so it seems there is a configuration or a problem with routing somewhere. Concentrator vpn routing table look like? Is there a default route set correctly? You can use ping to ping the default gateway?

  NAT is used? Is it possible the problem is that packages are not properly natted out to internet?

• VPN 3005 concentrator Web Administration fails

  I have a vpn concentrator 3005 I can't connect to the web administration page. When I have the access concentrator, I get an HTTP 403 forbidden error. IE, the details of the error is "this error (HTTP 403 Forbidden) means that Internet Explorer was able to connect on the site, but it doesn't have permission to view the Web page." I tried several machines and Firefox as well, but all give the same error. I have no problem with the administration via telnet, but wishes to get the web interface works again. I even tried updating the hub to 4.7.2.P (from 4.7.2.O), but it does not solve the problem either. I also noticed an error in the event log which shows demand and an error HTTP 404 not found (/). Any ideas?

  On your interfaces, for example, "Configuration | Interfaces | Ethernet 1 ", on the WebVPN tab you have the check box for"allow management HTTPS sessions "?

• Recovery password: VPN 3005 concentrator

  How 3005 Concentrator VPN admin password.

  Here is the procedure

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_password_recovery09186a008009434f.shtml

• Dead Peer detection on VPN client

  Hello world

  I know that we can DPD over Anyconnect SSL config on cisco ASA.

  You need to know we can configure the DPD on VPN on your PC as client?

  Concerning

  MAhesh

  Mahesh,

  DPD for ASA-side and Client-side detection are configured in the group policy on the ASA.

  Here is a link to the section of the configuration guide and below a photo of the place where it is ASDM:

  capture.jpg

  

• VPN 3005

  I have a couple of site to site vpn is configured. Is it possible to set up an event that will detect when a tunnel from site to site is to send an email? If so, I would be grateful for a point in the right direction. Thank you.

  Sorry, the path is

  configuration-> system-> events-> classes

• How to export the list of internal users from VPN 3005 concentrator?

  I would like to be able to export the list of users for the purpose of documentation. Is this possible to do with the 3005?

  Thank you

  Raul

  It's not easy passing just to get the list of name of user, but you can get the whole config and then grab users ot there in a couple of ways.

  In XML format, which is easier to read, go to Admin - Mgmt - XML Export file and export the config file to any file name. Then under the file Mgmt section this file that will appear in a separate window. Search to find the sections of the user names and passwords.

  Text (a bit like an in the Windows .ini file), go to settings to access Admin - rights of access - and no Config File Encryption value. Save the configuration. Then go to file Mgmt and display the CONFIGURATION file, search for [user *. 1] to find all of the names of users and their values. This way is not very useful to be honest.

• Debug explanations?

  Are there explanations of debug as there are for the syslog from a pix.

  I see this on my 3030. Any suggestions of what it could be. This user can enter normally. She is on a connection, it uses not normally.

  10/24/2002 51575 11:57:25.440 SEV = 7 RPT AUTH/12 = 3207

  Authentication login: manage = 134

  51576 10/24/2002 11:57:25.540 SEV = 6 RPT AUTH/41 = 2458 xxx.xxx.xxx.34

  Successful authentication: handle = 134, Server internal =, group = test

  10/24/2002 51577 11:57:25.540 SEV = 7 RPT AUTH/13 = 3207

  Closed session authentication: handle = 134

  51578 10/24/2002 11:57:30.480 SEV = 4 IKE/0 RPT = 102 xxx.xxx.xxx.34

  Duplicate first detected package!

  51579 10/24/2002 11:57:35.490 SEV = 4 IKE/0 RPT = 103 xxx.xxx.xxx.34

  Duplicate first detected package!

  51580 10/24/2002 11:57:40.490 SEV = 4 IKE/0 RPT = 104 xxx.xxx.xxx.34

  Duplicate first detected package!

  10/24/2002 51581 11:57:57.570 SEV = 4 IKEDBG/65 RPT = 164 xxx.xxx.xxx.34

  Group [test]

  IKE AM Responder history FSM error (struct & 0xc37d0ac)

  , :

  AM_DONE, EV_ERROR

  AM_WAIT_MSG3, EV_TIMEOUT

  AM_WAIT_MSG3, NullEvent

  AM_SND_MSG2, EV_CRYPTO_ACTIVE

  Tom, what is your email address.

  I just talked to the person who is putting this together to be published on ORC, he hopes that towards the end of the year.

  At this moment we have the zip file of all the events of VPN 3000 and some explanations (this is not work in progress full product - it's), but might help you in your application.

  I can send you the zip file or post it on CCO. I need to your e-mail, however.

  If you don't feel comfortable yor e-mail here assignment, you can email me directly ([email protected] / * /).

  Thank you.

  Nelson

• 3005 integrated VPN with ACS and server RSA auth

  Hi guys, I have a VPN 3005, using the version 4.7.2.B version, and I have the following problem.

  When a remote user using the Cisco VPN client tries to connect to the VPN 3005, it must try twice to authenticate.

  The first test, the user is authenticated, but the connection is immediately undermined by the peer.

  After the second attempt, the user is authenticated ok.

  Pablo,

  When you use RADIUS authentication on the hub, the ACS server will automatically send all the attributes of the user towards the concentrator for the user who is connecting. There is no need to have the authorization to be configured on the RADIUS server.

  According to the newspapers, it looks like the IP pool is the problem.

  [GroupP] user group [tuser] obtained IP addr (192.168.32.128) before launching the Cfg Mode (active XAuth)

  Subnet mask of the user [tuser] sending [GroupP] (255.255.255.224) group to the remote client

  User group [GroupP] [tuser] attempt to assign network or broadcast IP address, remove (192.168.32.128) of the

  After that, I see the customer negotiation again and the client is connected.

  Thus, the IP address is removed from the pool. Please make sure that you set up a pool that does not have a broadcast IP address.

  Thank you

  Gilbert

  Write it down, if this post can help.