Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
4
Replies

Remote access VPN with 3 Outside interfaces

pemasirid
Level 1
Level 1

‎09-16-2008 02:33 PM - edited ‎02-21-2020 03:56 PM

Hi,

My ASA has 3 outside interfaces and one inside interface. Two outside interfaces are configured for two ADSL connections (with IP SLA for redundancy). Other outside interface is confiured for static public ip address in order to terminate remote access VPN. When remote VPN users try to connect im getting the following error.

xxx-ASA5510# sh dSep 03 02:08:57 [IKEv1]: IP = 213.130.118.202, Connection landed on tunnel_group xxx

Sep 03 02:09:02 [IKEv1]: Group = QBC, IP = 213.130.118.202, Duplicate Phase 1 packet detected. Retransmitting last packet.

Sep 03 02:09:02 [IKEv1]: Group = QBC, IP = 213.130.118.202, P1 Retransmit msg dispatched to AM FSM

Can any one advise me what is the exact issue on this connection failure.

I attached the running configure for ready reference.

Thanks

Labels:
Preview file
7 KB
0 Helpful
4 Replies 4

hadbou
Level 5
Level 5

‎09-22-2008 09:57 AM

Error Message - %PIX-5-713201: Duplicate (Phase 1/Phase 2) packet detected.(Retransmitting test packet/No last packet to retransmit.) Explanation This message is displayed when a duplicate IKE Phase 1 or IKE Phase 2 message is received. A duplicate message indicates that the peer did not receive the response to the message, because it was either dropped somewhere in the network, it was dropped by the peer because the message was in error, or it was never sent because the original message was in error.

Recommended Action - If this event is transient, then you can ignore it because it will not result in tunnel drops or tunnel errors. If the event persists and it is associated with tunnel failures, then you should take the following action:

Review other events associated with this IKE session to determine whether one of the peers is misconfigured. A misconfiguration could result in messages being dropped by one or both peers. If a misconfiguration has not caused the error, then you may require a network analyzer to determine where the message is being dropped.

0 Helpful

acomiskey
Level 10
Level 10

‎09-22-2008 10:07 AM

I think the issue here is your default gateway is out ASDL 1. You would have to have a specific route for the vpn client out the Outside interface.

0 Helpful

pemasirid
Level 1
Level 1
In response to acomiskey

‎09-22-2008 11:16 AM

Yes, you are right. When I remove the default route via ADSL1, the tunnel got up. Please advise me what should be my specific route for vpn clients, coz vpn clients are connecting via internet?.

thanks

0 Helpful

dgroscost
Level 4
Level 4
In response to pemasirid

‎09-22-2008 02:44 PM

The ASA/PIX firewalls can only handle 1 default-route to the Internet. You would need to place a L3 device (router) in front of the ASA/PIX firewall, or purchase some sort of load balancing/failover appliance such as WARP by FatPipe, etc.

The ASA/PIX can handle redundant or backup ISP links using the following guideline:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents