RA-VPN error: Duplicate Phase 1 packet detected

philbe · ‎04-17-2008

i've tried to set up a remote access vpn with both the wizard and then agian at the CLI, but to no avail.

Each time i get the same error,

Duplicate Phase 1 packet detected. Retransmitting last packet

I've tried different clients and also checked that :

sysopt connection permit-ipsec

is enabled.

though i haven't been able to run the:

debug crypto isakmp

due to it being in production

many thanks

phil

whjvdam1 · ‎04-17-2008

I have checked the error log.

What I have found for you:

Error Message %PIX|ASA-3-713902

Recommended Action It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.

You can also check if you can reach the peer.

Regards,

Wouter

philbe · ‎04-22-2008

thanks Wouter

this is the config, there is also a bit for a site to site, that works, sorry for the delay.

!

interface Ethernet0/3

description *** Ultra Site-2-Site ***

nameif Ultra_Site-2-Site

security-level 0

ip address **********

!

access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list Ultra_Site-2-Site_cryptomap_20 extended permit ip 172.16.9.0 255.255.255.0 10.1.0.0 255.255.255.0

ip local pool affinitipool 172.16.8.249-172.16.8.250 mask 255.255.255.252

route Ultra_Site-2-Site 81.171.173.35 255.255.255.255 81.137.12.22 1

route Ultra_Site-2-Site 10.1.0.0 255.255.255.0 81.137.12.22 1

group-policy affinitivpn internal

group-policy affinitivpn attributes

dns-server value 10.201.10.10

vpn-tunnel-protocol IPSec

webvpn

username network password oAey6bUMeYJzmyZI encrypted privilege 15

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map affiniti_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map affiniti_dyn_map 40 set reverse-route

crypto map Ultra_Site-2-Site_map 20 match address Ultra_Site-2-Site_cryptomap_20

crypto map Ultra_Site-2-Site_map 20 set peer 81.171.173.35

crypto map Ultra_Site-2-Site_map 20 set transform-set ESP-3DES-SHA

crypto map Ultra_Site-2-Site_map 40 ipsec-isakmp dynamic affiniti_dyn_map

crypto map Ultra_Site-2-Site_map interface Ultra_Site-2-Site

isakmp enable Ultra_Site-2-Site

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 1800

isakmp nat-traversal 20

tunnel-group 81.171.173.35 type ipsec-l2l

tunnel-group 81.171.173.35 ipsec-attributes

pre-shared-key *

tunnel-group affinitivpn type ipsec-ra

tunnel-group affinitivpn general-attributes

address-pool affinitipool

default-group-policy affinitivpn

tunnel-group affinitivpn ipsec-attributes

pre-shared-key *

philbe · ‎04-25-2008

for others who get this error.

it was actually a routing problem.

this RA-VPN wasn't on the outside interface, but on e0/3 so there wasn't a default route.

we needed to add specific routes to REAL ip address to connect.

the asa log is just saying that it's recieving the phase1 (but can't respond in the right direction.)