My ASA has 3 outside interfaces and one inside interface. Two outside interfaces are configured for two ADSL connections (with IP SLA for redundancy). Other outside interface is confiured for static public ip address in order to terminate remote access VPN. When remote VPN users try to connect im getting the following error.
xxx-ASA5510# sh dSep 03 02:08:57 [IKEv1]: IP = 184.108.40.206, Connection landed on tunnel_group xxx
Sep 03 02:09:02 [IKEv1]: Group = QBC, IP = 220.127.116.11, Duplicate Phase 1 packet detected. Retransmitting last packet.
Sep 03 02:09:02 [IKEv1]: Group = QBC, IP = 18.104.22.168, P1 Retransmit msg dispatched to AM FSM
Can any one advise me what is the exact issue on this connection failure.
I attached the running configure for ready reference.
Error Message - %PIX-5-713201: Duplicate (Phase 1/Phase 2) packet detected.(Retransmitting test packet/No last packet to retransmit.) Explanation This message is displayed when a duplicate IKE Phase 1 or IKE Phase 2 message is received. A duplicate message indicates that the peer did not receive the response to the message, because it was either dropped somewhere in the network, it was dropped by the peer because the message was in error, or it was never sent because the original message was in error.
Recommended Action - If this event is transient, then you can ignore it because it will not result in tunnel drops or tunnel errors. If the event persists and it is associated with tunnel failures, then you should take the following action:
Review other events associated with this IKE session to determine whether one of the peers is misconfigured. A misconfiguration could result in messages being dropped by one or both peers. If a misconfiguration has not caused the error, then you may require a network analyzer to determine where the message is being dropped.
The ASA/PIX firewalls can only handle 1 default-route to the Internet. You would need to place a L3 device (router) in front of the ASA/PIX firewall, or purchase some sort of load balancing/failover appliance such as WARP by FatPipe, etc.
The ASA/PIX can handle redundant or backup ISP links using the following guideline:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...