Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA 8.4 IKEv1 mismatch


I am trying to ensure that I match the Amazon Web Services config I have been given for a VPN, but I always get the "duplicate first packet" error and it never makes the IKE SA.

In looking further into the config, when I see the

Configuration>site-to-site vpn>advanced>IKE Policies

page, I have priority 201, which is defined as

aes-128 - sha - 2 - pre-share - 28800


When I edit the item, it always has encryption as des and this  item does not get chosen. I think that this may be why we are not able to build phase 1.

I have attached a picture for evidence of what I am seeing. This is non edited since opening the edit box for this policy.

Any suggestions on the phase1 not forming would be handy too.... AWS are strict in their config and have given me this...... I am thinking I have followed it.

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : AZxyiirs0IFXGIPwLG9l3ncDVkcz4rpc
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

Thanks in advance


Everyone's tags (3)
Cisco Employee

Cisco ASA 8.4 IKEv1 mismatch

Hi Anthony,

The messages you are getting could be caused by UDP500 or UPD4500 ports being blocked in the middle or not being sent by the remote site.

The best way to determine the root cause is to run captures on the outside interfaces of both devices, to verify if they are sending and receiving traffic on these ports.



CreatePlease to create content