You are on the initiator firewall, and there are no messages in the event log on the responder. Note: It is always better to troubleshoot VPN connection problems by reviewing the messages in the responder side first.
The responder is the 'receiver' side of the VPN that is being pinged, receiving tunnel setup requests, or receiving the tunneled traffic.
The initiator is the side of the VPN that the ping or traffic is generated.
Use the following steps to determine what to do when you receive 'Phase 1: Retransmission limit has been reached' messages in the Event log.
From the firewall, can you ping the IP address of the Remote VPN Gateway OR any host on the Internet?
Yes - Continue with Step 2
No - Verify that a default route is configured on the firewall. If so, can you ping the firewall's default gateway? If you cannot ping the firewall's default gateway, check connectivity between the firewall and the default gateway router.
Is the Preshared Key specified in the IKE gateway configuration the same on both the initiator and the responder?
Yes - Continue with Step 3
No - In the IKE gateway configuration, reenter the Preshared Key on both the initiator and the responder and then attempt to bring up the VPN again.
Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway?
Yes -Continue with Step 4
No - In the IKE gateway configuration, specify the correct IP address for the Remote Gateway, and then attempt to bring up the VPN again.
Does the IKE gateway's outgoing interface match the route to the destination?
Yes - Continue with Step 5
No - Correct the IKE gateway's outgoing interface. Unfortunately, you cannot change the IKE Gateway's outgoing interface. You need to create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that points to this new IKE Gateway.
Are there any routers or firewalls in the path that are blocking IPSec (IP protocol 50 or UDP port 500 (if using NAT-Traversal))?
Yes - Work with the admin of that firewall or router to allow IPSec through for the IP address of your firewall and the Remote IP gateway.