12-17-2008 01:56 AM - edited 02-21-2020 04:05 PM
Hello.
I have a hub-spoke vpn solution, using ASA with software 8.0(3).
I have installed the last spoke, an ASA5505 like all others, but the tunnel does not come up!
Using debug I can get this message:
Dec 17 01:56:04 [IKEv1]: IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.
All spoke are ASA5505 with the same configuration for isakmp and IPSec.
Any idea?
Thanks.
Andrea.
12-17-2008 07:14 AM
Have a look at this document, http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Also if you can post a sanitized config of both the hub and spoke in question, that would be helpful.
Hope this helps, rate if it does.
JB
12-19-2008 02:37 AM
12-17-2008 07:16 AM
Andrea,
Based on the debugs, it looks like the IKE packets are being blocked somewhere along the path between the Hub and Spoke. Make sure that the IKE and IPSEC Ports/Protocols are not blocked anywhere between the ASA5505 and headend side.
Regards,
Arul
*Pls rate if it helps*
12-19-2008 08:40 AM
One document points to the key being invalid, another indicates the crypto ACLs aren't properly setup. Try re-entering the key on the spoke to verify it matches with the hub. Also double-check the crypto and nonat ACLs on both sides to verify they look proper.
Hope this helps, rate if it does,
JB
12-20-2008 11:05 PM
Hello JB and many thanks for your help.
I have already re-enter the pre-shared key before post for discussion.
I believe that the spoke is not capable to reach the hub. I believe that there is a route filtering between remote AS.
Regards.
Andrea.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: