Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA & Allied Telesis router IPsec VPN- any luck?


I am trying to get an IPsec VPN established between a Cisco ASA 5505 and an Allied Telesys AR450s, but am encountering a strange issue.

Currently I just have the two devices back to back.

If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.

If I try to initiate the tunnel from the ASA 5505 side, no VPN is established.

Checking the debug logs, the problem is occuring during Phase 2 (Phase 1 completes on both devices).

The errors I am seeing:

ASA side:

"duplicate phase 2 packet detected." This basically repeats forever until I stop trying to pass traffic and the SA is torn down.

Allied side:

during the last exchange of Phase 2 the AR450s receives this message from the ASA but it reports a "bad pad length" error. According to the debug log, the ASA is padding this final packet, and the Allied router doesn't seem to know how to handle it.

I have checked the lifetime settings on both devices and they are identical. I am using ESP-DES, and SHA (have tried MD5 also).

What are some things I should be looking at? I have contacted both Cisco and Allied Telesis and multiple engineers from both companies have not seen any correctable issues with the configurations.



Hall of Fame Super Gold

Re: Cisco ASA & Allied Telesis router IPsec VPN- any luck?

I think you should take a packet capture, check if there is actually a duplicate packet, then complain to the vendor.