Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
0
Replies

Android VPN to ASA 5505 duplicate phase 1 packet detected

George Mason
Level 1
Level 1

‎12-20-2013 10:49 AM

Hi all

Am trying to get an IPsec remote access VPN working between an Android 4.3 device and Cisco ASA 5505. I have the following phase 1 proposals:

PRM-ASA3(config)# sh run crypto isakm

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Not sure what the Android VPN defaults to as doesn't have any settings that granular.

The ASA is logging this:

PRM-ASA3(config)# Dec 20 18:38:20 [IKEv1]: IP = 2.2.2.123, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 649

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing SA payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ke payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ISA_KE payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing nonce payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received Fragmentation VID

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received NAT-Traversal RFC VID

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received NAT-Traversal ver 02 VID

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received xauth V6 VID

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received Cisco Unity client VID

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received DPD VID

Dec 20 18:38:20 [IKEv1]: IP = 2.2.2.123, Connection landed on tunnel_group PRM-IT-access

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, processing IKE SA payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ISAKMP SA payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ke payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing nonce payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Generating keys for Responder...

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing hash payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Computing hash for ISAKMP

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing Cisco Unity VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing xauth V6 VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing dpd vid payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Traversal VID ver 02 payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Discovery payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, computing NAT Discovery hash

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Discovery payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, computing NAT Discovery hash

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing Fragmentation VID + extended capabilities payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing VID payload

Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Dec 20 18:38:23 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Dec 20 18:38:23 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM

Dec 20 18:38:26 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Dec 20 18:38:26 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM

Dec 20 18:38:30 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Dec 20 18:38:30 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM

Dec 20 18:38:33 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Dec 20 18:38:33 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM

Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE AM Responder FSM error history (struct &0xca280dc8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_RESEND_MSG-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG-->AM_WAIT_MSG3, EV_RESEND_MSG

Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE SA AM:e6f1e3d8 terminating:  flags 0x0100c001, refcnt 0, tuncnt 0

Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, sending delete/delete with reason message

Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing blank hash payload

Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing IKE delete payload

Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing qm hash payload

Totally stuck at this point! Please help me save what's left of my hair....

Thanks

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents