Cisco ASA & Allied Telesis router IPsec VPN- any luck?

Unanswered Question
Sep 11th, 2009
User Badges:

Hello,


I am trying to get an IPsec VPN established between a Cisco ASA 5505 and an Allied Telesys AR450s, but am encountering a strange issue.


Currently I just have the two devices back to back.


If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.


If I try to initiate the tunnel from the ASA 5505 side, no VPN is established.


Checking the debug logs, the problem is occuring during Phase 2 (Phase 1 completes on both devices).


The errors I am seeing:

ASA side:

"duplicate phase 2 packet detected." This basically repeats forever until I stop trying to pass traffic and the SA is torn down.


Allied side:

during the last exchange of Phase 2 the AR450s receives this message from the ASA but it reports a "bad pad length" error. According to the debug log, the ASA is padding this final packet, and the Allied router doesn't seem to know how to handle it.


I have checked the lifetime settings on both devices and they are identical. I am using ESP-DES, and SHA (have tried MD5 also).


What are some things I should be looking at? I have contacted both Cisco and Allied Telesis and multiple engineers from both companies have not seen any correctable issues with the configurations.


Thanks,

Al

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paolo bevilacqua Sat, 09/12/2009 - 02:15
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I think you should take a packet capture, check if there is actually a duplicate packet, then complain to the vendor.

Actions

This Discussion