Cisco ASA & Allied Telesis router IPsec VPN- any luck?

Unanswered Question
Sep 11th, 2009
User Badges:


I am trying to get an IPsec VPN established between a Cisco ASA 5505 and an Allied Telesys AR450s, but am encountering a strange issue.

Currently I just have the two devices back to back.

If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.

If I try to initiate the tunnel from the ASA 5505 side, no VPN is established.

Checking the debug logs, the problem is occuring during Phase 2 (Phase 1 completes on both devices).

The errors I am seeing:

ASA side:

"duplicate phase 2 packet detected." This basically repeats forever until I stop trying to pass traffic and the SA is torn down.

Allied side:

during the last exchange of Phase 2 the AR450s receives this message from the ASA but it reports a "bad pad length" error. According to the debug log, the ASA is padding this final packet, and the Allied router doesn't seem to know how to handle it.

I have checked the lifetime settings on both devices and they are identical. I am using ESP-DES, and SHA (have tried MD5 also).

What are some things I should be looking at? I have contacted both Cisco and Allied Telesis and multiple engineers from both companies have not seen any correctable issues with the configurations.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paolo bevilacqua Sat, 09/12/2009 - 02:15
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I think you should take a packet capture, check if there is actually a duplicate packet, then complain to the vendor.


This Discussion