"Duplicate entry already in

Ivan Denezhkin · ‎08-08-2011

Hi.

I have ASA5510, which terminate several site-to-site vpn (with ASAs and ASR1002). In initial state tunnels work right, but during the time tunnel ASA - ASR falls down and doesn't set to up state. Phase 1 is complited, phase 2 is not complited.

debug crypto ipsec sa 254:

IPSEC(crypto_map_check)-3: Checking crypto map MAP 110: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.x.x.x, sport=3, daddr=10.y.y.y, dport=3

IPSEC(crypto_map_check)-3: Checking crypto map MAP 110: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.x.x.x, sport=3, daddr=10.y.y.y, dport=3

......

Terminal monitor :

%ASA-7-752008: Duplicate entry already in Tunnel Manager

How can i solve this problem?

praprama · ‎08-08-2011

Hi Ivan,

What version is ur ASA running? Can you post the ipsec debugs fomr the other end of thr VPN tunnel as well?

Regards,

Prapanch

MIINH QUACH · ‎03-09-2013

Hi I have the same and this is debug crypto level 255

A-7-713906: IP = 192.168.1.11, sending delete/delete with reason message

%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 10.

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 10.

%ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 10.

%ASA-7-609001: Built local-host inside:172.20.2.10

%ASA-7-609001: Built local-host outside:172.14.1.10

%ASA-7-609002: Teardown local-host inside:172.20.2.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:172.14.1.10 duration 0:00:00

%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 10.

%ASA-4-752010: IKEv2 Doesn't have a proposal specified

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-5-713041: IP = 192.168.1.11, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.168.1.11 local Proxy Address 172.20.2.10, remote Proxy Address 172.14.1.10, Crypto map (outside_map)

%ASA-7-715046: IP = 192.168.1.11, constructing ISAKMP SA payload

%ASA-7-715046: IP = 192.168.1.11, constructing NAT-Traversal VID ver 02 payload

%ASA-7-715046: IP = 192.168.1.11, constructing NAT-Traversal VID ver 03 payload

%ASA-7-715046: IP = 192.168.1.11, constructing NAT-Traversal VID ver RFC payload

%ASA-7-715046: IP = 192.168.1.11, constructing Fragmentation VID + extended capabilities payload

%ASA-7-713236: IP = 192.168.1.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248

%ASA-7-713236: IP = 192.168.1.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248

%ASA-7-609001: Built local-host inside:172.20.2.10

%ASA-7-609001: Built local-host outside:172.14.1.10

%ASA-7-609002: Teardown local-host inside:172.20.2.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:172.14.1.10 duration 0:00:00

%ASA-7-752008: Duplicate entry already in Tunnel Manager

%ASA-7-609001: Built local-host inside:172.20.2.10

%ASA-7-609001: Built local-host outside:172.14.1.10

%ASA-7-609002: Teardown local-host inside:172.20.2.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:172.14.1.10 duration 0:00:00

%ASA-7-752008: Duplicate entry already in Tunnel Manager

%ASA-7-713236: IP = 192.168.1.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248

%ASA-7-609001: Built local-host inside:172.20.2.10

%ASA-7-609001: Built local-host outside:172.14.1.10

%ASA-7-609002: Teardown local-host inside:172.20.2.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:172.14.1.10 duration 0:00:00

%ASA-7-752008: Duplicate entry already in Tunnel Manager

%ASA-7-715065: IP = 192.168.1.11, IKE MM Initiator FSM error history (struct &0xbc2690d8) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

%ASA-7-713906: IP = 192.168.1.11, IKE SA MM:47c3348c terminating: flags 0x01000022, refcnt 0, tuncnt 0

%ASA-7-713906: IP = 192.168.1.11, sending delete/delete with reason message

%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 10.

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 10.

%ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 10.

ASA-1(config)#

MARK BAKER · ‎08-14-2013

I am having the same issue and don't understand why there is the ability to add a backup peer if it can't fail over to it. I read on a different discussion that this worked on their PIX but stopped working after the replaced them with ASAs. You would think at some point the entry in the Tunnel Manager would time out and the new peer could connect.

Thank you,

Mark

Added Solucoes · ‎02-19-2014

Hi, I am facing the same problems.

My scenário is an ASA 5505 with two ISP (active and backup) making a VPN with a Nortel(Contiviti) device on the other side.

A track sla monitoring the link´s status. But when changing to the backup (or restabish on main link) spend about 5 minutes. The messages are:

Remote subnet: 172.24.0.0 Mask 255.252.0.0 Protocol 0 Port 0

Feb 19 2014 04:04:25: %ASA-7-715046: Group = 200.211.x.x, IP = 200.211.x.x, constructing qm hash payload

Feb 19 2014 04:04:25: %ASA-7-714004: Group = 200.211.x.x, IP = 200.211.x.x, IKE Initiator sending 1st QM pkt: msg id = d8e1952f

Feb 19 2014 04:04:25: %ASA-7-713236: IP = 200.211.x.x, IKE_DECODE SENDING Message (msgid=d8e1952f) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168

Feb 19 2014 04:04:25: %ASA-7-713236: IP = 200.211.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40

Feb 19 2014 04:04:25: %ASA-5-713904: Group = 200.211.x.x, IP = 200.211.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

Feb 19 2014 04:04:25: %ASA-4-713903: Group = 200.211.x.x, IP = 200.211.x.x, Information Exchange processing failed

Feb 19 2014 04:04:25: %ASA-7-609001: Built local-host isp2:172.22.1.175

Feb 19 2014 04:04:25: %ASA-7-609002: Teardown local-host isp2:172.22.1.175 duration 0:00:00

Feb 19 2014 04:04:25: %ASA-7-609001: Built local-host isp2:172.22.1.90

Feb 19 2014 04:04:25: %ASA-7-609002: Teardown local-host isp2:172.22.1.90 duration 0:00:00

Feb 19 2014 04:04:26: %ASA-7-609001: Built local-host isp2:172.26.82.64

Feb 19 2014 04:04:26: %ASA-7-609002: Teardown local-host isp2:172.26.82.64 duration 0:00:00

Feb 19 2014 04:04:27: %ASA-7-609001: Built local-host isp2:172.20.142.10

Feb 19 2014 04:04:27: %ASA-7-609002: Teardown local-host isp2:172.20.142.10 duration 0:00:00

Feb 19 2014 04:04:27: %ASA-7-752008: Duplicate entry already in Tunnel Manager

Feb 19 2014 04:04:28: %ASA-7-609001: Built local-host isp2:172.26.82.63

Feb 19 2014 04:04:28: %ASA-7-609002: Teardown local-host isp2:172.26.82.63 duration 0:00:00

Feb 19 2014 04:04:28: %ASA-7-752008: Duplicate entry already in Tunnel Manager

Feb 19 2014 04:04:29: %ASA-7-609001: Built local-host isp2:172.20.142.10

Feb 19 2014 04:04:29: %ASA-7-609002: Teardown local-host isp2:172.20.142.10 duration 0:00:00

Feb 19 2014 04:04:29: %ASA-7-752008: Duplicate entry already in Tunnel Manager

Feb 19 2014 04:04:30: %ASA-7-609001: Built local-host isp2:172.20.142.10

Feb 19 2014 04:04:30: %ASA-7-609002: Teardown local-host isp2:172.20.142.10 duration 0:00:00

Feb 19 2014 04:04:30: %ASA-7-609001: Built local-host lan:172.28.120.20

Feb 19 2014 04:04:30: %ASA-7-609001: Built local-host isp2:172.22.1.90

Feb 19 2014 04:04:30: %ASA-7-609002: Teardown local-host lan:172.28.120.20 duration 0:00:00

Feb 19 2014 04:04:30: %ASA-7-609002: Teardown local-host isp2:172.22.1.90 duration 0:00:00

Feb 19 2014 04:04:31: %ASA-7-609001: Built local-host isp2:172.26.82.64

Feb 19 2014 04:04:31: %ASA-7-609002: Teardown local-host isp2:172.26.82.64 duration 0:00:00

Feb 19 2014 04:04:31: %ASA-7-752008: Duplicate entry already in Tunnel Manager

Feb 19 2014 04:04:31: %ASA-7-609001: Built local-host isp2:172.26.82.63

Feb 19 2014 04:04:31: %ASA-7-609002: Teardown local-host isp2:172.26.82.63 duration 0:00:00

Feb 19 2014 04:04:31: %ASA-7-609001: Built local-host isp2:172.20.142.6

Feb 19 2014 04:04:31: %ASA-7-609002: Teardown local-host isp2:172.20.142.6 duration 0:00:00

Feb 19 2014 04:04:31: %ASA-7-752008: Duplicate entry already in Tunnel Manager

Feb 19 2014 04:04:32: %ASA-7-609001: Built local-host isp2:172.20.142.10

Thank you

MARK BAKER · ‎02-24-2014

I somewhat got this to work by configuring the IP SLA on the head-end ASA to delay failover to the other link to be longer than the timeout of the P2 tunnel for the original connection. This does present unwanted delay in the failover, but at least it does switch over and work. Without this delay, the tunnel sometimes eventually built, but it wasn't very often that it did.

I had another configuration that worked with L2L VPN tunnels between sites that belonged to the same enterprise. I configured the routers that were between the ASA firewalls and dual ISPs with two DMVPN tunnels without encryption. One tunnel terminated on one of two corporate internet routers and the other tunnel terminated on the other corporate internet router. I routed the IPSec VPN traffic in both directions over these two tunnels using EIGRP. This solution worked well and the VPN was able to fail over quickly during issues with the primary ISP connection. It also failed back over quickly when the primary ISP connection came back up. The reason it failed over quickly is that the peer IP addresses did not change for the tunnel since the traffic was passing through the DMVPN tunnels between the sites.

Not sure if either one of these configurations apply to your situation, but I've provided them just in case they do.

Thank you,

Mark

Jacob Hoeegh · ‎02-26-2015

"Duplicate entry already in Tunnel Manager" is A pain. I found the workaround:

1. Locate the crypto map (ex. crypto map Outside_map 3) remove the config and re-configure it but this time with a different number. You should see the tunnel go up and the "Duplicate entry already in Tunnel Manager" is gone,

2. "debug menu ike-common 1" you should see the failed entry.

3. " debug menu ike-common 10" clears ALL entry's in the tunnel manager

4. reconfigure the crypto map configuration to the old number (optional)

Example

clear configure crypto map Outside_map 3
crypto map Outside_map 333 match address CSM_IPSEC_ACL_2
crypto map Outside_map 333 set pfs group19
crypto map Outside_map 333 set peer xxx.xxx.xxx.xxx
crypto map Outside_map 333 set ikev2 ipsec-proposal CSM_IP_1
crypto map Outside_map 333 set df-bit clear-df
crypto map Outside_map 333 set reverse-route

debug menu ike-common 1

debug menu ike-common 10

clear configure crypto map Outside_map 333
crypto map Outside_map 3 match address CSM_IPSEC_ACL_2
crypto map Outside_map 3 set pfs group19
crypto map Outside_map 3 set peer xxx.xxx.xxx.xxx
crypto map Outside_map 3 set ikev2 ipsec-proposal CSM_IP_1
crypto map Outside_map 3 set df-bit clear-df
crypto map Outside_map 3 set reverse-route

Vladimir Shoinbayev · ‎01-07-2016

IMHO, In most cases "Duplicate entry already in Tunnel Manager" just meaning that tunnel establishing wasn't successful. Reasons of that may be different, you should debug on both sites.

ASA - ASR site-to-site tunnel fail down