Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec L2L issue.

Hello.

I have a hub-spoke vpn solution, using ASA with software 8.0(3).

I have installed the last spoke, an ASA5505 like all others, but the tunnel does not come up!

Using debug I can get this message:

Dec 17 01:56:04 [IKEv1]: IP = X.X.X.X, Duplicate Phase 1 packet detected. Retransmitting last packet.

All spoke are ASA5505 with the same configuration for isakmp and IPSec.

Any idea?

Thanks.

Andrea.

5 REPLIES
Bronze

Re: IPSec L2L issue.

Have a look at this document, http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Also if you can post a sanitized config of both the hub and spoke in question, that would be helpful.

Hope this helps, rate if it does.

JB

New Member

Re: IPSec L2L issue.

Sanitized configuration files.

I don't understand why only this last spoke does not work!

Cisco Employee

Re: IPSec L2L issue.

Andrea,

Based on the debugs, it looks like the IKE packets are being blocked somewhere along the path between the Hub and Spoke. Make sure that the IKE and IPSEC Ports/Protocols are not blocked anywhere between the ASA5505 and headend side.

Regards,

Arul

*Pls rate if it helps*

Bronze

Re: IPSec L2L issue.

One document points to the key being invalid, another indicates the crypto ACLs aren't properly setup. Try re-entering the key on the spoke to verify it matches with the hub. Also double-check the crypto and nonat ACLs on both sides to verify they look proper.

Hope this helps, rate if it does,

JB

New Member

Re: IPSec L2L issue.

Hello JB and many thanks for your help.

I have already re-enter the pre-shared key before post for discussion.

I believe that the spoke is not capable to reach the hub. I believe that there is a route filtering between remote AS.

Regards.

Andrea.

153
Views
0
Helpful
5
Replies