Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Headbanging L2L ipsec problem

Hey everyone, been in here several times with the same problem.

I run serveral ASAs on several internet providers that all fail on a L2L to a remote site. On the remote site we have tried Palo Alto, Fortigate, Cisco ASA5505. On the local siste i run a 5555-X and a 5550.

The config is correct and the ipsec can run normally for 1 hour to 14 days, then it drops, after that both firewalls complaines about duplicate phase 1 packets. This for me seems like the one of the FWs could have a wrong route or something but everything checks out. I can ping and access https for example on the remote box, it only fails on L2L. Diffrent public IP have been used to rule out duplicate IP on the remote site.

Attached are error logs from both boxes, they are almost identical. I have contacted the ISP on the remote site for assistence, but not much help.

The local and remote sites all run other tunnels ok (100+).

I have been working on this for 4 months and Im about to go totally loopy !,

Can anyone assist ?

Regard J.

  • VPN
Everyone's tags (1)

Headbanging L2L ipsec problem

Just one thing, why do I see "Aggressive mode" for Phase 1? Is that on porpose?

Also, could you try to capture the IKE packets just to make sure that all packets arrive resp. are sent on both sides?

New Member

Re: Headbanging L2L ipsec problem

Aggresive was on perpose, I was on as test when I took the log, never been used when the problem had occured.

I have now recived a new IP from the remote ISP, some problems were discovered and Im waiting to see if the tunnel goes down again.

Sent from Cisco Technical Support iPhone App

This widget could not be displayed.