Knowledge Center Search


 

Phase 1: Retransmission limit has been reached.

  [KB9349] Show KB Properties

  [KB9349] Hide KB Properties

Categories:
Knowledge Base ID: KB9349
Last Updated: 27 Sep 2011
Version: 4.0

Summary:
VPN won't come up; It is failing in Phase 1, with Retransmission limit has been reached reported in the event log.

Problem or Goal:

The VPN tunnel does not come up.  It is failing in Phase 1, with 'Phase 1:  Retransmission limit has been reached' reported in the Event log.

Assumptions

  • You are on the responder firewall, and there are no Phase 2 errors in the Event log.
  • You are on the responder firewall, and the only Phase 1 message in the event log is 'Retransmission limit has been reached'.  If you have other Phase 1 errors, please refer to KB9238 - How to Analyze IKE Phase 1 Messages in the Event Logs.
  • You are on the initiator firewall, and there are no messages in the event log on the responder.
    Note:  It is always better to troubleshoot VPN connection problems by reviewing the messages in the responder side first.

Terminology:

  • The responder is the 'receiver' side of the VPN that is being pinged, receiving tunnel setup requests, or receiving the tunneled traffic. 
  • The initiator is the side of the VPN that the ping or traffic is generated.

Solution:

Use the following steps to determine what to do when you receive 'Phase 1: Retransmission limit has been reached' messages in the Event log.

Step One  From the firewall, can you ping the IP address of the Remote VPN Gateway OR any host on the Internet?

  • Yes - Continue with Step 2
  • No  - Verify that a default route is configured on the firewall.  If so, can you ping the firewall's default gateway?  If you cannot ping the firewall's default gateway, check connectivity between the firewall and the default gateway router.

Step 2  Is the Preshared Key specified in the IKE gateway configuration the same on both the initiator and the responder?

  • Yes - Continue with Step 3
  • No  - In the IKE gateway configuration, reenter the Preshared Key on both the initiator and the responder and then attempt to bring up the VPN again. 

Step 3   Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway?

  • Yes -Continue with Step 4
  • No - In the IKE gateway configuration, specify the correct IP address for the Remote Gateway, and then attempt to bring up the VPN again.

Step 4  Does the IKE gateway's outgoing interface match the route to the destination? 

  • Yes - Continue with Step 5
  • No - Correct the IKE gateway's outgoing interface.  Unfortunately, you cannot change the IKE Gateway's outgoing interface.  You need to create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that points to this new IKE Gateway. 

Step 5  Are there any routers or firewalls in the path that are blocking IPSec (IP protocol 50 or UDP port 500 (if using NAT-Traversal))?

  • Yes - Work with the admin of that firewall or router to allow IPSec through for the IP address of your firewall and the Remote IP gateway.
  • No -  Continue with Step 6  

Step 6  If the above steps do not help you resolve the 'Phase 1: Retransmission Limit has been reached' messages, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  See KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN.

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.