IPSec L2L issue.

Unanswered Question


I have a hub-spoke vpn solution, using ASA with software 8.0(3).

I have installed the last spoke, an ASA5505 like all others, but the tunnel does not come up!

Using debug I can get this message:

Dec 17 01:56:04 [IKEv1]: IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.

All spoke are ASA5505 with the same configuration for isakmp and IPSec.

Any idea?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Wed, 12/17/2008 - 07:16
User Badges:
  • Cisco Employee,


Based on the debugs, it looks like the IKE packets are being blocked somewhere along the path between the Hub and Spoke. Make sure that the IKE and IPSEC Ports/Protocols are not blocked anywhere between the ASA5505 and headend side.



*Pls rate if it helps*

jpoplawski Fri, 12/19/2008 - 08:40
User Badges:
  • Bronze, 100 points or more

One document points to the key being invalid, another indicates the crypto ACLs aren't properly setup. Try re-entering the key on the spoke to verify it matches with the hub. Also double-check the crypto and nonat ACLs on both sides to verify they look proper.

Hope this helps, rate if it does,



This Discussion