Phase 1: Retransmission limit has been reached.

  • I have been using my NS5GT for almost a year - using it to tunnel to my workplace router.

    The work router was formerly a Cisco Pix and is now a Sonicwall.  Not sure which model or if it even matters.
    They both worked fine for several months, but now since before Christmas I am having mucho difficulties establishing the tunnel.  Nothing has changed on either router.

    To explain, for the last 10 minutes I have not been able to connect - keep getting these “Phase 1: Retransmission limit has been reached.” messages.

    Looking at the log file (I was at work today and didn’t use the tunnel at all), I can see that it was able to connect several times.

    It looks like, to me, that it will connect if the worksite initiates connection, but that I cannot initiate the connection from home.
    I’ve turned on debug from console and it doesn’t tell me much more.
    e.g. debug ike detail; get db str; undebug all

    Can anyone suggest what may be the problem here?  I hate to part with this Netscreen, but this is driving me nuts. 
    I’m trying to get my work Sonicwall guy to start some logs there, but hasn’t happened yet - the suggestion is “get a Sonicwall”.

    Here are the log messages when I try to ping a workplace IP:

    IKE<> Phase 1: Retransmission limit has been reached.
    IKE<> >> <> Phase 1: Initiated negotiations in main mode.

    Here are my log messages (via GUI) when I see a connection - I recall a couple times attempting to ping a home IP from work and I think these are the resulting messages:

    IKE<> Phase 2 msg ID <e3451543>: Completed negotiations with SPI <b2803acf>, tunnel ID <4>, and lifetime <3600> seconds/<0> KB.
    IKE<> Phase 2 msg ID <e3451543>: Responded to the peer’s first message.
    IKE<>: Received initial contact notification and removed Phase 1 SAs.
    IKE<> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
    IKE<>: Received initial contact notification and removed Phase 2 SAs.
    IKE<>: Received a notification message for DOI <1> <24578> <initial-contact>.
    IKE<> Phase 1: Responder starts MAIN mode negotiations.



  • There might be something missing in the config or some device in between the path could be blocking IP protocol 50 or UDP port 500. When you say it was working fine earlier, if someone has not messed up with the config recently then I doubt on the ports IP protocol 50 or UDP port 500 to somehow got blocked.

    Check the below link which might help you: -