Remote access VPN with 3 Outside interfaces

Unanswered Question
Sep 16th, 2008
User Badges:


My ASA has 3 outside interfaces and one inside interface. Two outside interfaces are configured for two ADSL connections (with IP SLA for redundancy). Other outside interface is confiured for static public ip address in order to terminate remote access VPN. When remote VPN users try to connect im getting the following error.

xxx-ASA5510# sh dSep 03 02:08:57 [IKEv1]: IP =, Connection landed on tunnel_group xxx

Sep 03 02:09:02 [IKEv1]: Group = QBC, IP =, Duplicate Phase 1 packet detected. Retransmitting last packet.

Sep 03 02:09:02 [IKEv1]: Group = QBC, IP =, P1 Retransmit msg dispatched to AM FSM

Can any one advise me what is the exact issue on this connection failure.

I attached the running configure for ready reference.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Mon, 09/22/2008 - 09:57
User Badges:
  • Bronze, 100 points or more

Error Message - %PIX-5-713201: Duplicate (Phase 1/Phase 2) packet detected.(Retransmitting test packet/No last packet to retransmit.) Explanation This message is displayed when a duplicate IKE Phase 1 or IKE Phase 2 message is received. A duplicate message indicates that the peer did not receive the response to the message, because it was either dropped somewhere in the network, it was dropped by the peer because the message was in error, or it was never sent because the original message was in error.

Recommended Action - If this event is transient, then you can ignore it because it will not result in tunnel drops or tunnel errors. If the event persists and it is associated with tunnel failures, then you should take the following action:

Review other events associated with this IKE session to determine whether one of the peers is misconfigured. A misconfiguration could result in messages being dropped by one or both peers. If a misconfiguration has not caused the error, then you may require a network analyzer to determine where the message is being dropped.

acomiskey Mon, 09/22/2008 - 10:07
User Badges:
  • Green, 3000 points or more

I think the issue here is your default gateway is out ASDL 1. You would have to have a specific route for the vpn client out the Outside interface.

pemasirid Mon, 09/22/2008 - 11:16
User Badges:

Yes, you are right. When I remove the default route via ADSL1, the tunnel got up. Please advise me what should be my specific route for vpn clients, coz vpn clients are connecting via internet?.


dgroscost Mon, 09/22/2008 - 14:44
User Badges:

The ASA/PIX firewalls can only handle 1 default-route to the Internet. You would need to place a L3 device (router) in front of the ASA/PIX firewall, or purchase some sort of load balancing/failover appliance such as WARP by FatPipe, etc.

The ASA/PIX can handle redundant or backup ISP links using the following guideline:


This Discussion