Site-to-site VPN failes to establish phase 1 IKEv1 or IKEv2 - Page 2

Mate.Barna · ‎02-08-2023

Hi All,

Out of the blue one of our customer's S2S VPN has gone down and doesn't come up since. We have hundreds of other tunnels working just fine.

The remote end - 999.999.999.25, peer named "WIBBLE-F2F" - says they have done no changes, and we didn't either - the usual network phenomenon!

Initially, we tried changing phase 1 and 2 details and policy order on the local ASA (111.111.111.133), ran multiple debugs and packet traces and now we started using IKEv1 to no avail. Also checked traceroutes, access rules etc.

Debug is attached below for both IKEv2 and IKEv1. Configuration for IKEv1 is also attached. The device isn't behind NAT.

Does anyone have some pointers for local troubleshooting? I've asked the remote end to do as such, but that will take a while and I would like to cover all I can.

The remote end firewall is unknown, they won't tell me due to security. Our local end is a Cisco 5585 running ASA 9.12(4)35

Mate.Barna · ‎02-13-2023

Hi!
I'm still awaiting the remote side to come back to me on their troubleshooting efforts with their supplier.
We tried swapping over policies and IKE versions relentlessly in a remote session last week, short on trying 3DES and MD5 (not going to happen lol). The tunnel is still generating the same 'Duplicate packet, retransmitting' kind of message every 10 seconds or so on both ends that the debugs show in above posts.
We have tried changing PSK as well, however, it doesn't seem to get that far as even with the wrong PSK the same message appears.

MHM Cisco World · ‎02-10-2023

I think about duplicate message

It can be from

1- acl is block udp 500 (you confirm that not acl drop udp500)

2- there is fragment of one message,

Yes if message is fragment in one point then there is chance that each side receive two header message for same one.