Cisco ASA & Allied Telesis router IPsec VPN- any luck?

Unanswered Question
Sep 11th, 2009

Hello,

I am trying to get an IPsec VPN established between a Cisco ASA 5505 and an Allied Telesys AR450s, but am encountering a strange issue.

Currently I just have the two devices back to back.

If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.

If I try to initiate the tunnel from the ASA 5505 side, no VPN is established.

Checking the debug logs, the problem is occuring during Phase 2 (Phase 1 completes on both devices).

The errors I am seeing:

ASA side:

"duplicate phase 2 packet detected." This basically repeats forever until I stop trying to pass traffic and the SA is torn down.

Allied side:

during the last exchange of Phase 2 the AR450s receives this message from the ASA but it reports a "bad pad length" error. According to the debug log, the ASA is padding this final packet, and the Allied router doesn't seem to know how to handle it.

I have checked the lifetime settings on both devices and they are identical. I am using ESP-DES, and SHA (have tried MD5 also).

What are some things I should be looking at? I have contacted both Cisco and Allied Telesis and multiple engineers from both companies have not seen any correctable issues with the configurations.

Thanks,

Al

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Sat, 09/12/2009 - 02:15

I think you should take a packet capture, check if there is actually a duplicate packet, then complain to the vendor.

Actions

This Discussion