We are running into a really strange issue. We have a Phoenix Contact MGuard firewall behind a Cisco ASA and it's trying to establish a VPN to another Phoenix MGuard halfway across the world and it's failing. The logs on the MGuards say that the packet is being altered by a device and being discarded. The odd thing is when I route the traffic via some Juniper Firewalls that we have, the same thing is not occuring, no alteration, everything is ok. It seems to be based on the message that a checksum is being edited so the packet makes it to the other end but, the ASA is for some reason altering the packet. I'm not even sure where to start on this one as the traffic is passing... Right now, I'll keep it through the Juniper, just looking for some ideas... The MGuard has a static NAT on the ASA...
I took some packet captures before and after the ASA and it would appear that the ASA is altering the responder cookie in the initial ISAKMP packet... Very very odd...
I believe we are looking at some sort of odd bug. Have a TAC case open with Cisco... Nadda... It's definitly the ASA however, have rerouted the VPN through a Juniper Firewall and Fortinet, no issues, works without issue every time. I'll keep this updated...
Weird behavior, please keep us posted.
The firewall is running 8.2.5
I turned off the UDP IPSec helper and that helped improve issues, It's not about 7 minutes to a reconnection rather than 10 but, its still altering the reciever ID. Dosn't make any sense. I'm not getting anything back from my TAC case either. Not too worried as I'm more than willing to route around to my Juniper Firewalls but, it's very odd that this behavior is occuring with just the ASA's... I'd like to figure it out.
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect icmp error
set connection advanced-options mss-map
set connection decrement-ttl