"The Peer is Not Responding to Phase 1 ISAKMP Requests" Error in Global VPN Client (GVC)
03/26/2020 1562 63872
This article provides information about the log entry The peer is not responding to phase 1 ISAKMP requests when using the global VPN client (GVC). This message is a general failure message, meaning that a phase 1 ISAKMP request was sent to the peer firewall, but there was no response. There are many possible reasons why this could happen. Troubleshooting steps and possible solutions are offered here that may help solve the problem.
Check GVC logs to verify the following.
- Verify host running SonicWall GVC application has Internet connectivity and can browse the Internet. If not, then fix this problem and then follow next step.
- Verify the peer gateway is running and the Group VPN policy is enabled. If you have other SonicWall GVC clients connecting to the same firewall on the same interface of the firewall, then this is not a problem.
- SonicWall GVC works from certain locations and this error message only shows up when you are behind certain NAT device. There are two possible scenarios. NAT device is blocking IKE traffic from SonicWall GVC (Vista OS) since it is not using defined UDP source port (500) for IKE. This is currently only a problem with GVC running on Vista. In order for SonicWall GVC to use the defined IKE source port, start GVC by right-clicking on the icon and then select ‘Run as administrator’.
- It is possible that this NAT device is blocking IKE traffic and so requires a rule (policy) to allow IKE packets from SonicWall GVC. To verify if the IKE traffic from SonicWall GVC is reaching the Peer gateway, use the event logs (Network Debug Category enabled) or packet capture on the SonicWall appliance. If the Peer gateway does not get the IKE packets, then it is the NAT device in the middle or ISP that is dropping the IKE packets. Consult the NAT device manual or ISP to troubleshoot this problem.
Possible Solution: Upgrade to 4.9.14 or higher
SonicWall Global VPN Client 4.9.14 provides a new connection property option.
- Restrict the size of the first ISAKMP packet sent - This option can be used when the Global VPN Client gets an error such as, The peer is not responding to phase 1 ISAKMP requests when attempting to connect. This error can occur when the ISAKMP packet is fragmented due to its size, but the network device (router) does not allow a fragmented packet when establishing the VPN connection.
- For upgrade and installation support, please review the Administrator's Guide for the relevant version of GVC.
SonicWall strongly recommends you follow these steps before installing the Global VPN Client (GVC) 4.9.14 (or higher) client.
- If you have SonicWall Global VPN Client version 4.8.6 or earlier installed, you must uninstall that version before installing version 4.9.14. Upgrading to GVC 4.9.14 is supported from version 4.9.0 and higher.
- SonicWall encounters run time conflicts when it co-exists with any 3rd party IPsec VPN clients. Uninstall all IPsec VPN clients prior to installing SonicWall GVC.
- For Vista systems, it is required that you update device drivers for each network adapter card to the latest available versions. You can check the NIC vendor Web site for these updates.