Duplicate phase 2 packets in VPN Tunnel between ASA en Juniper

Fernando Paredes · ‎09-24-2015

We are having problems building a VPN tunnel between an ASA 5510 (9.0) and a Juniper SSG 500. The ASA in this configuration works as the responder. The problem arises after phase 2 has been succefully negociated. Inmmediately after the ASA detects duplicate phase 2 packets and after sending the last message 3 times it removes the tunnel. Here below the ASA logs

Is there anything I can change on the ASA to keep the tunnel up?

Thanks

22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:40: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82080 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:40: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:44: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Info   <asaip>   Sep 22 2015 15:57:44: %ASA-6-713905: Group = <juniperip>, IP = <juniperip>, Responder resending lost, last msg
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:44: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82076 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:44: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:48: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Info   <asaip>   Sep 22 2015 15:57:48: %ASA-6-713905: Group = <juniperip>, IP = <juniperip>, Responder resending lost, last msg
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:48: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82072 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:48: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:52: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Info   <asaip>   Sep 22 2015 15:57:52: %ASA-6-713905: Group = <juniperip>, IP = <juniperip>, Responder resending lost, last msg
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:52: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82068 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:52: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:56: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Error   <asaip>   Sep 22 2015 15:57:56: %ASA-3-713902: Group = <juniperip>, IP = <juniperip>, QM FSM error (P2 struct &0xadc95df0, mess id 0xac2da83e)!
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:56: %ASA-7-715065: Group = <juniperip>, IP = <juniperip>, IKE QM Responder FSM error history (struct &0xadc95df0) <state>, <event>: QM_DONE, EV_ERROR-->QM_ACTIVE, EV_RESEND_MSG-->QM_ACTIVE, NullEvent-->QM_ACTIVE, EV_VM_START-->QM_ACTIVE, EV_ACTIVE-->QM_RSND_LST_MSG, EV_RESET_LIFETIME-->QM_RSND_LST_MSG, EV_IS_REKEY_SECS-->QM_RSND_LST_MSG, EV_RESEND_MSG
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:56: %ASA-4-713906: Group = <juniperip>, IP = <juniperip>, sending delete/delete with reason message

pjain2 · ‎09-24-2015

this means that the Last packet that the responder has sent has not reached Juniper or they are receiving it and dropping it. can you ask the Juniper end to check if they are receiving the response packet from ASA and what exactly do they see in their logs