ASA-EasyVPN - ASA shows 127.0.0.1 as peer address from remote PIX

treimers1 · ‎08-22-2008

I'm having a problem where a PIX501 EasyVPN client is unable to connect to an ASA.

Messages show up thusly:

Aug 22 2008 09:16:23: %ASA-5-713201: Group = shilohrec, IP = 127.0.0.1, Duplicate Phase 1 packet detected. Retransmitting last packet.

Aug 22 2008 09:16:23: %ASA-6-713905: Group = shilohrec, IP = 127.0.0.1, P1 Retransmit msg dispatched to AM FSM

Aug 22 2008 09:49:09 713905 Group = shilohrec, IP = 127.0.0.1, No valid authentication type found for the tunnel group

I can't believe that the remote site REALLY has 127.0.0.1 on it.

The E0 (outside) interface of the PIX501 has "ip address outside dhcp setroute" on it, and is connected to a cablemodem.

Rebooting sometimes gets it up for a while with a real public IP, which works.

Overnight, it does this again.

I've seen E0 actually have 127.0.0.1 on it, after dhcp to the cable modem (apparently) fails.

There IS no 127.0.0.1 address anywhere on the PIX, except if DHCP bombs out.

ISP reports that they don't see any problems with the modem, and they don't see an attached device.

How is that even GETTING to the ASA?

127.0.0.1 won't route!

Other VPN tunnels from other PIX501EVPN clients are attached to the same ASA.

How do I use packet tracer to look for IPSEC traffic coming in so that I could try to figure out where this is coming from?

sadbulali · ‎08-28-2008

To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer commandin privileged EXEC configuration mode. To disable packet capture capabilities, use the no form of this command.