Unable to connect to ASA5505 from Remote VPN Peer

Unanswered Question
Jan 30th, 2008

Hi folks,

I've configured an ASA5505 to receive VPN tunnel connections from a 'test' Remote VPN peer. The public i/p of the ASA is 83.***.**.42 and the public i/p of the 'test' peer is 83.***.**.41 The whole thing works fine - I can establish a connection and connect to hosts on the LAN behind the ASA5505. I can also ping the public i/p addx from a host behind the 'test'VPN peer even when the tunnel is not established.

However, when a work colleague tries to establish a VPN connection to the ASA it doesn't work. I've configured another tunnel connection for his VPN peer. His public i/p addx is 212.**.***.78 He cant ping the ASA5505 at all but when he does the following appears in the ASA5505 logs:

6 Jan 29 2008 12:06:58 713905 IP = 212.**.***.78, P1 Retransmit msg dispatched to MM FSM

5 Jan 29 2008 12:06:58 713201 IP = 212.**.***.78, Duplicate Phase 1 packet detected. Retransmitting last packet.

6 Jan 29 2008 12:06:56 302015 212.**.***.78 83.***.**.42 Built inbound UDP connection 27691 for outside:212.**.***.78/500 (212.**.***.78/500) to NP Identity Ifc:83.***.**.42/500 (83.***.**.42/500)

The settings for the test tunnel and the live tunnel are exactly the same except for peer i/p addx and pre-shared key of course.

Can anyone tell me why I can connect to the ASA5505 from one peer but not the other?

Thanks

Sean.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Wed, 01/30/2008 - 08:28

Where is the 212.**.***.78 VPN Server located. Is this device behind a Firewall that is blocking UDP Port 500 and Protocol 50. Based upon the logs, it looks like the ASA is responding to UDP Port 500 ISAKMP Packets and the packet never makes it to the remote peer. And the remote peer keeps sending the initiation again and again and that is why we complain of duplicate phase 1 packets detected.

Also, the issue could be on a device in front of your ASA that is blocking traffic for this particular peer.

Regards,

Arul

** Please rate all helpful posts **

CiscoASA2008 Thu, 01/31/2008 - 01:40

Hi Arul,

Thanks for the reply.

I've mailed the guy working the remote VPN to check out the isuues you mentioned above. AFAIK, 212.*.*.78 is the public address of his firewall which is what the ASA sees when the phase 1 packets arrive.

However, he is able to establish a connection to another VPN box we have at 83.*.*.40 with no issue. The ASA on my side is connected directly to the internet with no firewall devices in front of it. If there was an issue with my ISP, my colleague should have issues connecting to the 83.*.*.40 box as well.

CiscoASA2008 Fri, 02/01/2008 - 01:21

Checked with my colleague and he already has 82 tunnels setup through the firewall. so doesn't look like the issue is there. Running out of ideas as how to fix this!!

Actions

This Discussion