cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
5
Replies

IPSec L2L issue.

andrea.meconi
Level 2
Level 2

Hello.

I have a hub-spoke vpn solution, using ASA with software 8.0(3).

I have installed the last spoke, an ASA5505 like all others, but the tunnel does not come up!

Using debug I can get this message:

Dec 17 01:56:04 [IKEv1]: IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.

All spoke are ASA5505 with the same configuration for isakmp and IPSec.

Any idea?

Thanks.

Andrea.

5 Replies 5

jpoplawski
Level 1
Level 1

Have a look at this document, http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Also if you can post a sanitized config of both the hub and spoke in question, that would be helpful.

Hope this helps, rate if it does.

JB

Sanitized configuration files.

I don't understand why only this last spoke does not work!

ajagadee
Cisco Employee
Cisco Employee

Andrea,

Based on the debugs, it looks like the IKE packets are being blocked somewhere along the path between the Hub and Spoke. Make sure that the IKE and IPSEC Ports/Protocols are not blocked anywhere between the ASA5505 and headend side.

Regards,

Arul

*Pls rate if it helps*

jpoplawski
Level 1
Level 1

One document points to the key being invalid, another indicates the crypto ACLs aren't properly setup. Try re-entering the key on the spoke to verify it matches with the hub. Also double-check the crypto and nonat ACLs on both sides to verify they look proper.

Hope this helps, rate if it does,

JB

Hello JB and many thanks for your help.

I have already re-enter the pre-shared key before post for discussion.

I believe that the spoke is not capable to reach the hub. I believe that there is a route filtering between remote AS.

Regards.

Andrea.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: