Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Phase 1: Retransmission limit has been reached

0

0

Article ID: KB9349 KB Last Updated: 14 Mar 2020Version: 6.0
Summary:

VPN won't come up; It is failing in Phase 1, with Retransmission limit has been reached reported in the event log.

Symptoms:

The VPN tunnel does not come up.  It is failing in Phase 1, with 'Phase 1:  Retransmission limit has been reached' reported in the Event log.

Assumptions

  • You are on the responder firewall, and there are no Phase 2 errors in the Event log.
  • You are on the responder firewall, and the only Phase 1 message in the event log is 'Retransmission limit has been reached'.  If you have other Phase 1 errors, please refer to KB9238 - How to Analyze IKE Phase 1 Messages in the Event Logs.
  • You are on the initiator firewall, and there are no messages in the event log on the responder.
    Note:  It is always better to troubleshoot VPN connection problems by reviewing the messages in the responder side first.

Terminology:

  • The responder is the 'receiver' side of the VPN that is being pinged, receiving tunnel setup requests, or receiving the tunneled traffic. 
  • The initiator is the side of the VPN that the ping or traffic is generated.
Solution:

Use the following steps to determine what to do when you receive 'Phase 1: Retransmission limit has been reached' messages in the Event log.

Step One  From the firewall, can you ping the IP address of the Remote VPN Gateway OR any host on the Internet?

  • Yes - Continue with Step 2
  • No  - Verify that a default route is configured on the firewall.  If so, can you ping the firewall's default gateway?  If you cannot ping the firewall's default gateway, check connectivity between the firewall and the default gateway router.

Step 2  Is the Preshared Key specified in the IKE gateway configuration the same on both the initiator and the responder?

  • Yes - Continue with Step 3
  • No  - In the IKE gateway configuration, reenter the Preshared Key on both the initiator and the responder and then attempt to bring up the VPN again. 

Step 3   Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway?

  • Yes -Continue with Step 4
  • No - In the IKE gateway configuration, specify the correct IP address for the Remote Gateway, and then attempt to bring up the VPN again.

Step 4  Does the IKE gateway's outgoing interface match the route to the destination? 

  • Yes - Continue with Step 5
  • No - Correct the IKE gateway's outgoing interface.  Unfortunately, you cannot change the IKE Gateway's outgoing interface.  You need to create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that points to this new IKE Gateway. 

Step 5  Are there any routers or firewalls in the path that are blocking IPSec (IP protocol 50 or UDP port 500 (if using NAT-Traversal))?

  • Yes - Work with the admin of that firewall or router to allow IPSec through for the IP address of your firewall and the Remote IP gateway.
  • No -  Continue with Step 6  

Step 6  If the above steps do not help you resolve the 'Phase 1: Retransmission Limit has been reached' messages, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center.  See KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN.

Modification History:

2020-03-13: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search