I am trying to get an IPsec VPN established between a Cisco ASA 5505 and an Allied Telesys AR450s, but am encountering a strange issue.
Currently I just have the two devices back to back.
If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.
If I try to initiate the tunnel from the ASA 5505 side, no VPN is established.
Checking the debug logs, the problem is occuring during Phase 2 (Phase 1 completes on both devices).
The errors I am seeing:
"duplicate phase 2 packet detected." This basically repeats forever until I stop trying to pass traffic and the SA is torn down.
during the last exchange of Phase 2 the AR450s receives this message from the ASA but it reports a "bad pad length" error. According to the debug log, the ASA is padding this final packet, and the Allied router doesn't seem to know how to handle it.
I have checked the lifetime settings on both devices and they are identical. I am using ESP-DES, and SHA (have tried MD5 also).
What are some things I should be looking at? I have contacted both Cisco and Allied Telesis and multiple engineers from both companies have not seen any correctable issues with the configurations.