12-17-2008 01:56 AM - edited 02-21-2020 04:05 PM
Hello.
I have a hub-spoke vpn solution, using ASA with software 8.0(3).
I have installed the last spoke, an ASA5505 like all others, but the tunnel does not come up!
Using debug I can get this message:
Dec 17 01:56:04 [IKEv1]: IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
All spoke are ASA5505 with the same configuration for isakmp and IPSec.
Any idea?
Thanks.
Andrea.
12-17-2008 07:14 AM
Have a look at this document, http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Also if you can post a sanitized config of both the hub and spoke in question, that would be helpful.
Hope this helps, rate if it does.
JB
12-19-2008 02:37 AM
12-17-2008 07:16 AM
Andrea,
Based on the debugs, it looks like the IKE packets are being blocked somewhere along the path between the Hub and Spoke. Make sure that the IKE and IPSEC Ports/Protocols are not blocked anywhere between the ASA5505 and headend side.
Regards,
Arul
*Pls rate if it helps*
12-19-2008 08:40 AM
One document points to the key being invalid, another indicates the crypto ACLs aren't properly setup. Try re-entering the key on the spoke to verify it matches with the hub. Also double-check the crypto and nonat ACLs on both sides to verify they look proper.
Hope this helps, rate if it does,
JB
12-20-2008 11:05 PM
Hello JB and many thanks for your help.
I have already re-enter the pre-shared key before post for discussion.
I believe that the spoke is not capable to reach the hub. I believe that there is a route filtering between remote AS.
Regards.
Andrea.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide