cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

28571
Views
0
Helpful
11
Replies
Highlighted
Beginner

Error 713201: Duplicate Phase packet detected

Hello Everyone!!!

I have a little problem with a Easy VPN, this is the topology:

One router 2811: This is the Easy-client (Who has a ip address by dhcp)

One ASA 5540: This is the Easy-server

The configuration on router is like this:

crypto ipsec client ezvpn Router-Miranda-VPN
connect auto
group VPN-MIRANDA key cisco123
mode network-extension
peer 192.168.1.0
username Router-Miranda password Router123

  xauth userid mode local

interface FastEthernet0/0
description Conexion WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN

interface FastEthernet0/1
description LAN-Miranda
ip address 10.50.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN inside

And this is the config on ASA:

crypto isakmp enable Outside
name 10.50.15.0 VPN-MIRANDA description SEGMENTO MIRANDA
asdm location 10.50.15.0 255.255.255.0 Inside
access-list nonat line 2 extended permit ip 10.50.15.0 255.255.255.0 10.50.15.0 255.255.255.0
username Router-Miranda password Router123 encrypted privilege 0
username Router-Miranda attributes
  vpn-group-policy VPN-MIRANDA
ip local pool POOL-MIRANDA 10.50.15.10-10.50.15.254 mask 255.255.255.0
group-policy VPN-MIRANDA internal
group-policy VPN-MIRANDA attributes
  vpn-tunnel-protocol IPSec
tunnel-group VPN-MIRANDA type remote-access
tunnel-group VPN-MIRANDA general-attributes
  default-group-policy VPN-MIRANDA
  address-pool  POOL-MIRANDA
tunnel-group VPN-MIRANDA ipsec-attributes
  pre-shared-key **********
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface  Outside

The router is trying to establish the connection, this messages appears:

Feb 28 22:05:49.282: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPN-MIRANDA  Client_public_addr=190.36.240.57  Server_public_addr=192.168.1.0

Seems that the router attempts to establish the connection, but for some reason it falls, this is the answer for this commands:

Router-Miranda#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
68    190.36.240.57   192.168.1.0            ACTIVE                2  0           
       Connection-id:Engine-id =  68:1(software)
67    190.36.240.57   192.168.1.0            ACTIVE                2  0           
       Connection-id:Engine-id =  67:1(software) (deleted)

And in the ASA appears the next message:

713201

Error Message    %ASA-5-713201: Duplicate Phase Phase packet detected. Action

Explanation   The security appliance has received a duplicate of a previous Phase 1 or Phase 2 packet, and will transmit the last message. This message could indicate a network performance or connectivity issue where the peer is not receving sent packets in a timely manner.

Phase—Phase 1 or 2

Action—Retransmitting last packet, or No last packet to transmit.

Recommended Action   Verify network performance or connectivity.

Any idea that could be happen on this devices??

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Very good, we are moving a step closer.

On the ASA, your split tunnel access-list is extended ACL, please change it to standard ACL as follows:

no access-list Tunnel_Miranda permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
access-list Tunnel_Miranda standard permit 192.168.0.0 255.255.0.0

You mention that you can't access the server. Can you enable the following:

management-access Inside

and check if you can ping the ASA Inside interface ip address after the above command is added.

If you can, then it doesn't seem to be a configuration issue. You might want to check if the server has any firewall enabled that might be blocking inbound connection from  different subnets. See if you can access anything else within the same subnet.

Lastly, please share the output of:

show cry ipsec sa

View solution in original post

Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Yes, you can only ping by sourcing the ping from the LAN interface because that is what is supposed to be encrypted through the tunnel, ie: between LAN subnet to LAN subnet. If you just ping straight out from the router, the ping will be sourced from the router external interface, hence ping will fail which is correct behaviour.

Base on your explaination, you can access some hosts but not some others that are in the same LAN. This straight away point me to believe that it has nothing to do with configuration nor VPN on both the ASA and router. Because everything is setup between LAN to LAN subnets, so if you can access just 1 ip address within that subnet, you should be able to access everything else on that subnet.

I would actually check the server itself and see if there is anything that might prevent the access. A few things to check on the server:

- correct default gateway (ie: the same default gateway as other host that works)

- firewall that is not blocking inbound connection from different subnet

View solution in original post

11 REPLIES 11
Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Firstly, you can't have the same subnet behind the ASA as well as  behind the Easy VPN Client, plus having the IP Pool also in the same  subnet. This is totally incorrect.

ASA LAN needs to be  in a different subnet than the Easy VPN Client LAN, plus separate subnet  for the IP Pool. However, since you are configuring NEM mode, then IP  Pool is not used.

Then you would need to modify your NAT exemption to say:

access-list nonat extended permit ip

Then the peer ip address under the router configuration should be the ASA outside ip address:

crypto ipsec client ezvpn Router-Miranda-VPN
     peer 192.168.1.0

If it's still not working, please kindly share the output of the following debugs:

debug cry isa

debug cry ipsec

Beginner

Re: Error 713201: Duplicate Phase packet detected

Thanks Jennifer for your answer!!

That´s correct I had to edit the access-list nonat extended permit ip 192.168.1.0 255.255.0.0 10.50.15.0 255.255.255.0 and I deleted the ip addrees´s pool VPN.

The configuration on ASA is this:

crypto isakmp enable Outside
name 10.50.15.0 VPN-MIRANDA description SEGMENTO MIRANDA
access-list nonat line 2 extended permit ip 192.168.0.0 255.255.0.0.0 10.50.15.0 255.255.255.0
username Router-Miranda password PbIWLu/jIlsM4bD3 encrypted privilege 0
username Router-Miranda attributes
  vpn-group-policy VPN-MIRANDA

group-policy VPN-MIRANDA internal
group-policy VPN-MIRANDA attributes
  vpn-tunnel-protocol IPSec
tunnel-group VPN-MIRANDA type remote-access
tunnel-group VPN-MIRANDA general-attributes
  default-group-policy VPN-MIRANDA
tunnel-group VPN-MIRANDA ipsec-attributes
  pre-shared-key **********
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface  Outside

Referent to the ip address for the peer is an outside´s ip address, but I do not want put the right address for security. I captured the output from debug:

There is debug from crypto ipsec

Mar  1 16:19:35.678: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 16:19:35.678: IPSEC(key_engine): got a queue event with 1 kei messages

There is debug from crypto isakmp

Mar  1 16:15:35.470: ISAKMP:(0:33:SW:1):purging SA., sa=4694BE00, delme=4694BE00
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):peer does not do paranoid keepalives.

*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 190.119.128.103)
*Mar  1 16:15:35.510: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPN-MIRANDA  Client_public_addr=190.78.245.19  Server_public_addr=190.119.128.103

*Mar  1 16:15:35.510: ISAKMP:isadb_key_addr_delete: no key for address 190.119.128.103  (NULL root)
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 190.119.128.103)
*Mar  1 16:15:35.510: ISAKMP: Unlocking IKE struct 0x4682E100 for isadb_mark_sa_deleted(), count 0
*Mar  1 16:15:35.510: ISAKMP: Deleting peer node by peer_reap for 190.119.128.103: 4682E100
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):Old State = IKE_I_AM1  New State = IKE_DEST_SA

*Mar  1 16:15:35.510: ISAKMP: Created a peer struct for 190.119.128.103, peer port 500
*Mar  1 16:15:35.510: del_node src 190.78.245.19:500 dst 190.119.128.103:500 fvrf 0x0, ivrf 0x0
*Mar  1 16:15:35.514: ISAKMP:(0:34:SW:1):peer does not do paranoid keepalives.

*Mar  1 16:15:35.514: ISAKMP: received ke message (1/1)
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 16:15:35.514: ISAKMP: Found a peer struct for 190.119.128.103, peer port 500
*Mar  1 16:15:35.514: ISAKMP: Locking peer struct 0x4682E100, IKE refcount 1 for isakmp_initiator
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0):Setting client config settings 467F44F8
*Mar  1 16:15:35.514: ISAKMP: local port 500, remote port 500
*Mar  1 16:15:35.514: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4694BE00
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): client mode configured.
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 16:15:35.554: ISKAMP: growing send buffer from 1024 to 3072
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar  1 16:15:35.554: ISAKMP (0:134217763): ID payload
        next-payload : 13
        type         : 11
        group id     : VPN-MIRANDA
        protocol     : 17
        port         : 0
        length       : 19
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):Total payload length: 19
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1): beginning Aggressive Mode exchange
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1): sending packet to 190.119.128.103 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 16:15:45.558: ISAKMP:(0:35:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 16:15:45.558: ISAKMP (0:134217763): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 16:15:45.558: ISAKMP:(0:35:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 16:15:45.558: ISAKMP:(0:35:SW:1): sending packet to 190.119.128.103 my_port 500 peer_port 500 (I) AG_INIT_EXCH

Thanks,

KC

Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Can you try with removing the following line:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2

Also this line has way too many policies:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set   ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5

Can you please change it to:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set ESP-3DES-SHA

So phase 1 is up, however, phase 2 seems to be stuck.

Beginner

Re: Error 713201: Duplicate Phase packet detected

Thanks Jennifer!!

Finally my VPN is active!! The problem was the firewall of my ISP on router. I made some changes in the config on my Easy Client VPN and my Easy Server VPN.

Here the leyend:

ASA LAN (192.168.0.1/16)

Router Remote LAN (10.50.15.0/24)

There is:

ASA (Easy VPN Server)

crypto isakmp enable Outside

crypto isakmp policy 10
 authen pre-share
 encrypt 3des
 sha
 group 2
 lifetime 86400

sysopt connection permit-vpn


username cisco123 password cisco123 privilege 0
username cisco123 attributes
  password-storage enable
  vpn-group-policy VPN-MIRANDA

group-policy VPN-MIRANDA internal
group-policy VPN-MIRANDA attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Tunnel_Miranda
  nem enable


access-list Tunnel_Miranda permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0

nat (Inside) 0 nonat tunnel-group VPN-MIRANDA type remote-access tunnel-group VPN-MIRANDA general-attributes   default-group-policy VPN-MIRANDA   tunnel-group VPN-MIRANDA ipsec-attributes   pre-shared-key Cisco1234 crypto ipsec transform-set Miranda-VPN esp-3des esp-sha-hmac crypto ipsec transform-set Miranda-VPN esp-aes-256 esp-md5-hmac crypto ipsec transform-set Miranda-VPN esp-des esp-sha-hmac crypto ipsec transform-set Miranda-VPN esp-des esp-md5-hmac crypto ipsec transform-set Miranda-VPN esp-aes-192 esp-md5-hmac crypto ipsec transform-set Miranda-VPN esp-3des esp-md5-hmac crypto ipsec transform-set Miranda-VPN esp-aes-256 esp-sha-hmac crypto ipsec transform-set Miranda-VPN esp-aes esp-sha-hmac crypto ipsec transform-set Miranda-VPN esp-aes-192 esp-sha-hmac crypto ipsec transform-set Miranda-VPN esp-aes esp-md5-hmac crypto dynamic-map conexion-miranda-vpn 65535 set reverse-route crypto dynamic-map conexion-miranda-vpn 65535 set transform-set Miranda-VPN crypto map conexion-miranda 65535 ipsec-isakmp dynamic conexion-miranda-vpn crypto map conexion-miranda interface  Outside

And the config in my client is:

crypto ipsec client ezvpn Router-Miranda-VPN
connect auto
group VPN-MIRANDA key Cisco1234
local-address FastEthernet0/0
mode network-extension
peer 190.202.84.32
username cisco123 password cisco123

xauth userid mode local

nterface FastEthernet0/0
description Conexion WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN

interface FastEthernet0/1
description LAN-Miranda
ip address 10.50.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN inside

ip route 192.168.0.0 255.255.0.0 FastEthernet0/0

ip nat inside source list nonat interface FastEthernet0/0 overload

ip access-list extended nonat
deny   ip 10.50.15.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any

The remote can access to Internet with a VPN Connection and without that, the problem that we have is that the two networks can not access, i mean, the PC on Router´s Netwoork does not see any server in ASA´s networks.

But I can see the tunnel active with teh command sho crypto session on my router and show crypto isakmp on my ASA.

Regards,

KC

Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Very good, we are moving a step closer.

On the ASA, your split tunnel access-list is extended ACL, please change it to standard ACL as follows:

no access-list Tunnel_Miranda permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
access-list Tunnel_Miranda standard permit 192.168.0.0 255.255.0.0

You mention that you can't access the server. Can you enable the following:

management-access Inside

and check if you can ping the ASA Inside interface ip address after the above command is added.

If you can, then it doesn't seem to be a configuration issue. You might want to check if the server has any firewall enabled that might be blocking inbound connection from  different subnets. See if you can access anything else within the same subnet.

Lastly, please share the output of:

show cry ipsec sa

View solution in original post

Beginner

Re: Error 713201: Duplicate Phase packet detected

Thanks Jennifer!!

Your advise work for me!! I made the change in the access -list and then I enable the management-access Inside, and finally i can see traffic between both networks.

But, I can see some host and servers, the others not. That could be a problem into the customer´s LAN. But I have one question, could you tell me why works with a standard access-list and with a extended does not.

Best Regards,

KC

Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

It is supposed to be configured with standard access-list on ASA as per design.

Here is the command reference that states that for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404816

Beginner

Re: Error 713201: Duplicate Phase packet detected

Hello Jennifer!!

There is some problems with the traffic in two networks, seems like some traffic to the networks 192.168.0.0/16 (ASA LAN) go through the tunnel but other traffic is going to the Internet.

I put an access-list in the ASA:

Inside access in: permit ip any 10.50.15.0 255.255.255.0 (Remote Network) ( with a lot of macth)

Outside access in: permt ip 10.50.15.0 255.255.255.0 any

solo la lista de acceso en la interfaz inside hace match, la otra lista de acceso hace match cuando utilizo el packet tracert en el ASA

The servers that I can access are:192.68.0.5, 192.168.0.6, 192.168.0.102 and 192.168.0.10.

The servers that I can not access are: 192.168.0.9, 192.168.0.100 and 192.168.0.81.

All the server belong to the same network.

Here is the tracert from my PC, wich is in the Remote Network:

C:\Documents and Settings\kcastillo>tracert 192.168.0.5

Traza a 192.168.0.5 sobre caminos de 30 saltos como máximo.

  1    <1 ms    <1 ms    <1 ms  10.50.15.1
  2   249 ms   250 ms   256 ms  192.168.0.5

Traza completa.

C:\Documents and Settings\kcastillo>tracert 192.168.0.9

Traza a 192.168.0.9 sobre caminos de 30 saltos como máximo.

  1    <1 ms    <1 ms    <1 ms  10.50.15.1
  2     *        *        *     Tiempo de espera agotado para esta solicitud.
  3     *        *        *     Tiempo de espera agotado para esta solicitud.
  4     *        *        *     Tiempo de espera agotado para esta solicitud.
  5     *        *        *     Tiempo de espera agotado para esta solicitud.
  6     *        *        *     Tiempo de espera agotado para esta solicitud.

If I try to do ping from router the packet is failed.

Router-Miranda#ping 192.168.0.85

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.85, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But If i try to do ping from the inside interface on Router to inside interface on ASA, the packet pass.

Router-Miranda#ping 192.168.0.85 source fastEthernet 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.85, timeout is 2 seconds:
Packet sent with a source address of 10.50.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/41/48 ms

I have the same situacion on ASA, I mean if the ping is going from inside interface from Router ( Pass)

192.168.0.85: Ip address in interface inside on ASA

Any idea?

Regards,

KC

Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Yes, you can only ping by sourcing the ping from the LAN interface because that is what is supposed to be encrypted through the tunnel, ie: between LAN subnet to LAN subnet. If you just ping straight out from the router, the ping will be sourced from the router external interface, hence ping will fail which is correct behaviour.

Base on your explaination, you can access some hosts but not some others that are in the same LAN. This straight away point me to believe that it has nothing to do with configuration nor VPN on both the ASA and router. Because everything is setup between LAN to LAN subnets, so if you can access just 1 ip address within that subnet, you should be able to access everything else on that subnet.

I would actually check the server itself and see if there is anything that might prevent the access. A few things to check on the server:

- correct default gateway (ie: the same default gateway as other host that works)

- firewall that is not blocking inbound connection from different subnet

View solution in original post

Beginner

Re: Error 713201: Duplicate Phase packet detected

Hello Jennifer!!

I forget write you the last week, the vpn works fine. The problem was the default gateway on servers.

Thanks,

KC

Cisco Employee

Re: Error 713201: Duplicate Phase packet detected

Thanks for the update, KC. Great to know it's working good now.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here