Re: Headbanging L2L ipsec problem

Jon Are Endrerud · ‎01-07-2014

Hey everyone, been in here several times with the same problem.

I run serveral ASAs on several internet providers that all fail on a L2L to a remote site. On the remote site we have tried Palo Alto, Fortigate, Cisco ASA5505. On the local siste i run a 5555-X and a 5550.

The config is correct and the ipsec can run normally for 1 hour to 14 days, then it drops, after that both firewalls complaines about duplicate phase 1 packets. This for me seems like the one of the FWs could have a wrong route or something but everything checks out. I can ping and access https for example on the remote box, it only fails on L2L. Diffrent public IP have been used to rule out duplicate IP on the remote site.

Attached are error logs from both boxes, they are almost identical. I have contacted the ISP on the remote site for assistence, but not much help.

The local and remote sites all run other tunnels ok (100+).

I have been working on this for 4 months and Im about to go totally loopy !,

Can anyone assist ?

Regard J.

Please rate as helpful, if that would be the case. Thanx

m.kafka · ‎01-09-2014

Just one thing, why do I see "Aggressive mode" for Phase 1? Is that on porpose?

Also, could you try to capture the IKE packets just to make sure that all packets arrive resp. are sent on both sides?

Jon Are Endrerud · ‎01-11-2014

Aggresive was on perpose, I was on as test when I took the log, never been used when the problem had occured.

I have now recived a new IP from the remote ISP, some problems were discovered and Im waiting to see if the tunnel goes down again.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx