04-17-2008 06:28 AM - edited 03-11-2019 05:32 AM
i've tried to set up a remote access vpn with both the wizard and then agian at the CLI, but to no avail.
Each time i get the same error,
Duplicate Phase 1 packet detected. Retransmitting last packet
I've tried different clients and also checked that :
sysopt connection permit-ipsec
is enabled.
though i haven't been able to run the:
debug crypto isakmp
due to it being in production
many thanks
phil
04-17-2008 10:33 AM
I have checked the error log.
What I have found for you:
Error Message %PIX|ASA-3-713902
Recommended Action It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.
You can also check if you can reach the peer.
Regards,
Wouter
04-22-2008 02:56 AM
thanks Wouter
this is the config, there is also a bit for a site to site, that works, sorry for the delay.
!
interface Ethernet0/3
description *** Ultra Site-2-Site ***
nameif Ultra_Site-2-Site
security-level 0
ip address **********
!
access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list Ultra_Site-2-Site_cryptomap_20 extended permit ip 172.16.9.0 255.255.255.0 10.1.0.0 255.255.255.0
ip local pool affinitipool 172.16.8.249-172.16.8.250 mask 255.255.255.252
route Ultra_Site-2-Site 81.171.173.35 255.255.255.255 81.137.12.22 1
route Ultra_Site-2-Site 10.1.0.0 255.255.255.0 81.137.12.22 1
group-policy affinitivpn internal
group-policy affinitivpn attributes
dns-server value 10.201.10.10
vpn-tunnel-protocol IPSec
webvpn
username network password oAey6bUMeYJzmyZI encrypted privilege 15
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map affiniti_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map affiniti_dyn_map 40 set reverse-route
crypto map Ultra_Site-2-Site_map 20 match address Ultra_Site-2-Site_cryptomap_20
crypto map Ultra_Site-2-Site_map 20 set peer 81.171.173.35
crypto map Ultra_Site-2-Site_map 20 set transform-set ESP-3DES-SHA
crypto map Ultra_Site-2-Site_map 40 ipsec-isakmp dynamic affiniti_dyn_map
crypto map Ultra_Site-2-Site_map interface Ultra_Site-2-Site
isakmp enable Ultra_Site-2-Site
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1800
isakmp nat-traversal 20
tunnel-group 81.171.173.35 type ipsec-l2l
tunnel-group 81.171.173.35 ipsec-attributes
pre-shared-key *
tunnel-group affinitivpn type ipsec-ra
tunnel-group affinitivpn general-attributes
address-pool affinitipool
default-group-policy affinitivpn
tunnel-group affinitivpn ipsec-attributes
pre-shared-key *
04-25-2008 01:33 AM
for others who get this error.
it was actually a routing problem.
this RA-VPN wasn't on the outside interface, but on e0/3 so there wasn't a default route.
we needed to add specific routes to REAL ip address to connect.
the asa log is just saying that it's recieving the phase1 (but can't respond in the right direction.)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: