08-01-2011 02:31 AM
Hi All
We're experiencing some troubles with VPN status detection.
Problem detected:
We receive a call from the end point saying they cant establish VPN.
Log says: ''IP = 79.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet."
Asa monitor says that the l2l against 79.x.x.x is established and a lot of traffic count.
If We drop logout that l2l VPN is establishes successfully.
We suppose L2L gets drop and it's not detected.
For this VPN the end point is a checkopint but we have the same problem against other ciscos
System configuration:
ASA 8.4.2
We have one crypto map defined on two interfaces.
Route tracking to decide which interface should be used. (both public end route and remote lan network)
Nat rules does not include interface
Monitor keep alive enabled in tunnel group.
Thanks
09-09-2011 02:17 AM
Hi, I have same problem witn ASA to ASA site-to-site vpn. Did you find a solution?
09-10-2011 04:55 AM
HI,
Is the resolved? If not, then please do take care of below:
1. disable tunnel keep alives on ASA and checkpoint
2. If you have multiple tunnels on ASA, ensure that tunnel traffic to checkpoint is not overlapping or coflicting with any other tunnel traffic.
For tunnel to ASA-ASA, keepalive must either be enabled on both ends or disabled on both. Secondly, check for any traffic overlapping between two different tunnels
Regards,
Mohit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: