I have a primary and a backup site what are connected via an IPSec S2S VPN tunnel on two PIXs.
These PIXs terminates RA VPN also, and authentications occures from an external AD. Basically the primary PIX uses the AD what places in the primary site, and the backup PIX uses the AD what places in the backup site. It works fine.
My problem exists when (for example) the backup PIX wants to use the other (the primary) AD what places in the other (primary) site. At this time PIX must to take the authentication pacets to the S2S tunnel what is terminated by its interface.
I checked everything (syslogs, encaps, decaps, ACLs, NAT-s, debugs, capture, routing) and it seems to be OK, but the following happens:
The authentication is successfully, in the debuging logs I see that the client gets IP address and other parametres, but the session deletes after all.
The only message what refers to a mistake is:
Retransmitted and duplicated Phase2 pacet (on 3 times).
Between PIXs and the ADs there aren't any other L3 device, and all of the packets arrive to everywhere (it wants to).
Has anyone any idea, what must be the mistake?