Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site vpn phase 2 issues

Hi,

I have a probelem with one of my s2s vpn tunnel. i am gettign the below error message "group = x.x.x.x, ip =y.y.y.y, duplicate phase 2 packet detected. retransmitting last packet" . the tunnel was down with out making any chages at both ends. chnaging the interesting traffic at the remote end i.e changing the subnet mask to match at my end resolved the phase 1 issue. but phase 2 still an issue. i can packets getting decrpted but no encryption. this was working fine till today afternoon.

   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

what could be the issue?

Thanks,

Sridhar

13 REPLIES

site to site vpn phase 2 issues

Hello,

Is it possible that you could provide the running-config so we can help you on this??

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

site to site vpn phase 2 issues

i am really sorry, i cant post the conf. if you could tell me the possible reasons, then i will try.

site to site vpn phase 2 issues

Hello,

Sure,this will lets us know analize what it really happening in here, why the VPN tunnel is not succesfully getting established, of course you will need to hide some things as the IP addresses ( Security reasons).

-I would like to have the VPN configuration of both sites, to see if there is a mismatch on the IPsec configuration. Again just to help!!!!

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

site to site vpn phase 2 issues

is it possible to enable DH group 2 with out PFS in phase 2 in ASA?

site to site vpn phase 2 issues

Hello,

This link will answer all of you configuration questions regarding a L2L VPN on the ASA

https://learningnetwork.cisco.com/docs/DOC-8696

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

site to site vpn phase 2 issues

Yes. Also, refer to the below link on some common t-shoot process.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml?referring_site=bodynav

Thx

MS

New Member

site to site vpn phase 2 issues

thx for this. cud you guys tell what the packets are not encrypting, but decrypting?

site to site vpn phase 2 issues

Hello,

There might be a mismatch between the Ip sec configuration and the IKE configuration, remember that the transform set is based on what you have configured for phase 1. So check that!

Do rate if this helps.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

site to site vpn phase 2 issues

looks like the my remote end has DH group 2 and PFS disabled in phase 2, where as at my end both are disabled. Think if i need to enable DH group alone at my end without PFS it is not possible. I have cisco asa 5520 and remote end has checkpoint UTM. correct me if i am wrong?

site to site vpn phase 2 issues

Hello,

That's it. you need to have the same phase two configuration on both VPN ends.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

site to site vpn phase 2 issues

we have changed the phase1 and phase2 parameters at both ends, also the intersting traffic after which the tunnel came up. but intrestingly, remote end is not able to ping my server lan and my server lan is not able to reach the remote LAN. when i do a debug crypto ipsec i am getting the below messages. verified all ACL 's and rules, looks to be fine.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 3 does not hole match for A

CL OUTSIDE_ISP_cryptomap_3.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 4 does not hole match for A

CL OUTSIDE_ISP_cryptomap_4.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 5 does not hole match for A

CL OUTSIDE_ISP_cryptomap_5.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 6 does not hole match for A

CL outside_ssl_6_cryptomap.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 7 does not hole match for A

CL OUTSIDE_ISP_cryptomap_7.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 8 does not hole match for A

CL outside_ssl_cryptomap_1.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 9 does not hole match for A

CL outside_ssl_cryptomap_2.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 1 does not hole match for A

CL outside_ssl_cryptomap.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 2 does not hole match for A

CL OUTSIDE_ISP_cryptomap_1.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 3 does not hole match for A

CL OUTSIDE_ISP_cryptomap_3.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 4 does not hole match for A

CL OUTSIDE_ISP_cryptomap_4.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 5 does not hole match for A

CL OUTSIDE_ISP_cryptomap_5.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 6 does not hole match for A

CL outside_ssl_6_cryptomap.

site to site vpn phase 2 issues

Hello Sridar,

Are you sure you have the same ACL configuration ( interesting traffic) I mean without seeing the VPN config will be hard to help you on this.

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

site to site vpn phase 2 issues

I can provide assistance. I have spent the past month trying to get the checkpoint and the cisco asa to play nicely. Checkpoint UTM and Edge products send the peer or public ip address as part of the encryption domain. You need to go into the console and include that as part of your statements. Look at the example below.

access-list outside_1_cryptomap extended permit ip host a.b.c.d host e.f.g.h

1869
Views
0
Helpful
13
Replies
CreatePlease login to create content