We have a site to site VPN using a pair of PIX 515's in the primary site that works fine almost all the time. Once in a while the remote side cannot access anything in the primary site and it seems that doing a clear crypto and clearing the tunnel fixes the problem. in trying to discover the source of the problem, the only thing I see is the following log message:
ul 14 2009 13:41:59: %PIX-3-713235: Group = remote, IP = xxx.xxx.xxx.xxx, Attempt to send an IKE packet from standby unit. Dropping the packet!
It does not appear that this message is significant, but it's the only clue I have right now.
Error Message: %PIX|ASA-6-713235: Attempt to send an IKE packet from standby unit.
Dropping the packet!
Explanation: Normally, IKE packets should never be sent from the standby unit to the remote peer. This message is displayed if such an attempt is made due to an internal logic error. The packet never leaves the standby unit because of protective code. This message is mainly to facilitate debugging.
Recommended Action: No action is required by the user. Developers should look into the condition causing the IKE packet to be sent from the standby unit.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...