I'm trying to set up a L2TP/IPSec VPN on a Windows 7 client, to a Cisco ASA 5505 SecPlus license.
ASA have dual WAN connections:
- wan1: a mobile 3G connection behind the ISP router, used for Internet browsing.
- wan2: a DSL connection with "static" DHCP IP, used for incoming firewall traffic.
A static route with tracking is set so if the 3G is down it will failover to DSL:
route wan1 0.0.0.0 0.0.0.0 192.168.98.1 1 track 1
wan2 have this config:
dhcp client route distance 200 ip address dhcp setroute
All that is working fine.
Now I have tried to make a L2TP/IPsec VPN connection from a Windows 7 client to the wan2 interface, I get these errors:
Duplicate first packet detected. Ignoring packet.
Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
The first error I'm also getting with the "old" Cisco VPN client, using the ASDM Wizard.
ASA version is: 9.1
Question is: Do I miss something? I suspect the dual wan setup to be the problem. Do the ASA send VPN reply back on the default route (wan1)?
/Kim
Best Answer
You do have asymmetrical routing, but that shouldn't be the issue. Instead, I suspect the issue is link delay involving your 3G link. Since IPSec IKE uses UDP/500 or UDP/4500 with NAT-Traversal, there's no guarantee of packet delivery. Your VPN client -- the IKE initiator -- sends the first IKE message and is awaiting a response from your ASA. The ASA IKE response message is either dropped or delayed too long that your VPN client sends another IKE message, causing the ASA to log the
Duplicate first packet received.I would think your DSL link is more reliable -- less delay, less jitter, less packet loss -- than the 3G mobile network. Any reason that's not your default gateway? To test the 3G link as the issue, force the DSL to be your default.