Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
1
Replies

Cisco ASA & Allied Telesis router IPsec VPN- any luck?

allaprade
Level 1
Level 1

‎09-11-2009 02:32 AM

Hello,

I am trying to get an IPsec VPN established between a Cisco ASA 5505 and an Allied Telesys AR450s, but am encountering a strange issue.

Currently I just have the two devices back to back.

If I initiate the tunnel from the AR450s side, the tunnel is built with no problem and I am able to pass traffic from either side.

If I try to initiate the tunnel from the ASA 5505 side, no VPN is established.

Checking the debug logs, the problem is occuring during Phase 2 (Phase 1 completes on both devices).

The errors I am seeing:

ASA side:

"duplicate phase 2 packet detected." This basically repeats forever until I stop trying to pass traffic and the SA is torn down.

Allied side:

during the last exchange of Phase 2 the AR450s receives this message from the ASA but it reports a "bad pad length" error. According to the debug log, the ASA is padding this final packet, and the Allied router doesn't seem to know how to handle it.

I have checked the lifetime settings on both devices and they are identical. I am using ESP-DES, and SHA (have tried MD5 also).

What are some things I should be looking at? I have contacted both Cisco and Allied Telesis and multiple engineers from both companies have not seen any correctable issues with the configurations.

Thanks,

Al

Labels:
0 Helpful
1 Reply 1

paolo bevilacqua
Hall of Fame
Hall of Fame

‎09-12-2009 02:15 AM

I think you should take a packet capture, check if there is actually a duplicate packet, then complain to the vendor.

0 Helpful
Customers Also Viewed These Support Documents