Duplicate phase 2 packets in VPN Tunnel between ASA en Juniper

Fernando Paredes · ‎09-24-2015

We are building a VPN tunnel between an ASA 5520 (9.0) and a Juniper SSG 500. Everything goes OK until the phase 2 is completed. Inmediately after the second phase is completed the ASA gets duplicate phase 2 packets and after responding 3 times it deletes the tunnel. The tunnel works if the ASA acts as initiator but not as responder. Here below de ASA logs.

Has anyone had the same problem? Is there a way to keep the tunnel up even though duplicate packets arrive?

22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:40: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82080 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:40: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:44: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Info   <asaip>   Sep 22 2015 15:57:44: %ASA-6-713905: Group = <juniperip>, IP = <juniperip>, Responder resending lost, last msg
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:44: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82076 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:44: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:48: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Info   <asaip>   Sep 22 2015 15:57:48: %ASA-6-713905: Group = <juniperip>, IP = <juniperip>, Responder resending lost, last msg
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:48: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82072 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:48: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:52: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Info   <asaip>   Sep 22 2015 15:57:52: %ASA-6-713905: Group = <juniperip>, IP = <juniperip>, Responder resending lost, last msg
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:52: %ASA-7-715080: Group = <juniperip>, IP = <juniperip>, Starting P2 rekey timer: 82068 seconds.
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:52: %ASA-4-713120: Group = <juniperip>, IP = <juniperip>, PHASE 2 COMPLETED (msgid=ac2da83e)
22-9-2015 15:58   Local4.Notice   <asaip>   Sep 22 2015 15:57:56: %ASA-5-713201: Group = <juniperip>, IP = <juniperip>, Duplicate Phase 2 packet detected. Retransmitting last packet.
22-9-2015 15:58   Local4.Error   <asaip>   Sep 22 2015 15:57:56: %ASA-3-713902: Group = <juniperip>, IP = <juniperip>, QM FSM error (P2 struct &0xadc95df0, mess id 0xac2da83e)!
22-9-2015 15:58   Local4.Debug   <asaip>   Sep 22 2015 15:57:56: %ASA-7-715065: Group = <juniperip>, IP = <juniperip>, IKE QM Responder FSM error history (struct &0xadc95df0) <state>, <event>: QM_DONE, EV_ERROR-->QM_ACTIVE, EV_RESEND_MSG-->QM_ACTIVE, NullEvent-->QM_ACTIVE, EV_VM_START-->QM_ACTIVE, EV_ACTIVE-->QM_RSND_LST_MSG, EV_RESET_LIFETIME-->QM_RSND_LST_MSG, EV_IS_REKEY_SECS-->QM_RSND_LST_MSG, EV_RESEND_MSG
22-9-2015 15:58   Local4.Warning   <asaip>   Sep 22 2015 15:57:56: %ASA-4-713906: Group = <juniperip>, IP = <juniperip>, sending delete/delete with reason message

rvarelac · ‎09-24-2015

Hi Fernando ,

Could be a problem related to the crypto ACL , double check the ACL is matching in both sides and is mirrored properly.

You can enable the following debugs to get more information about the issue

Debug crypto ikev1 127

Debug crypto ipsec 127

Hope it helps

-Randy-