[VPN] VPN issue: Netscreen 5XP and Windows XP client

Luigi Mori lm at intrinsic.it
Tue May 13 08:19:22 EDT 2003


>I have Netscreen 5XP (N5) worked as a firewall in a LAN. On the 
>other site, some Windows XP (WinXP) users use ADSL to connect to 
>Internet. Basically, I just want to have WinXP connect to the LAN by 
>VPN set on N5. WinXP has Netscreen Remote client installed, all 
>things related to VPN is set correctly on N5 (the other machines can 
>connect the LAN properly). The strange thing is that one of the 
>client with WinXP cannot go through anyway. The client log keep 
>complaining
>
>"13:15:58.030 My Connections\VPN - Initiating IKE Phase 1 (IP 
>ADDR=xx.xx.xx.xx)
>13:15:58.077 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (SA, KE, 
>NON, ID, VID, VID, VID, VID)
>13:16:13.952 My Connections\VPN - message not received! Retransmitting!
>13:16:13.952 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission)
>13:16:29.202 My Connections\VPN - message not received! Retransmitting!
>13:16:29.202 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission)
>13:16:44.202 My Connections\VPN - message not received! Retransmitting!
>13:16:44.202 My Connections\VPN - SENDING>>>> ISAKMP OAK AG (Retransmission)
>13:16:59.202 My Connections\VPN - Exceeded 3 IKE SA negotiation attempts"
>
>Any hints for this? What should I do on the client or server site? 
>Do we have a troubleshooting process for this kind of issue? Thanks 
>a lot!

Did you check the event log on the NetScreen side ?
You can enable a verbose mode using the command "debug ike basic".
To view the logs you can use the command "get dbuf stream".
The NetScreen GW is not responding to the first message of Phase1. I 
think there is a config mismatch between NS-Remote and the GW.

Regards,
lm



More information about the VPN mailing list