This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VPN duplicate ISAKMP message received ICX-7450

james_schena
New Contributor II

‎04-22-2021 10:37 AM

Hub and Spoke topology with multiple IPSEC tunnels going from the Hub to remote spokes for centralized licensing of software. 3 active tunnels, all with identical configurations, minus unique source/destination/authentication combos. 4th area, has the same configurations as the 3 active, again with just the unique combinations. 

When debugging ike all at the Hub, I keep receiving 'Duplicate ISAKMP message received' errors, killing the SA and starting the negotiation over again. The Hub shows 2 Ike SA's constructing during this process, then they die and start over. 

The spoke shows no error when debugging ike all but fails to negotiate and SA. 

Here is the meat and potatoes of the Ike/IPSEC configuration @ the HUB:

ikev2 retry-count 15
ikev2 exchange-max-time 45
ikev2 retransmit-interval 15
ikev2 limit max-in-negotiation-sa 256
ikev2 limit max-sa 200
ikev2 nat disable
!
!
ikev2 auth-proposal A
 pre-shared-key A
!
ikev2 auth-proposal B
 pre-shared-key 2 B
!
ikev2 auth-proposal C
 pre-shared-key 2 C
!
ikev2 auth-proposal D
 pre-shared-key 2 D
!
ikev2 auth-proposal E
 pre-shared-key 2 E
!
ikev2 auth-proposal F

 pre-shared-key 2 F
!
ikev2 auth-proposal G

 pre-shared-key 2 G
!
ikev2 auth-proposal H
 pre-shared-key 2 H

!

ikev2 profile A
 authentication A
 lifetime 240
 local-identifier address xx.xx.109.2
 remote-identifier address xx.xx.109.1
 match-identity local address xx.xx.109.2
 match-identity remote address xx.xx.109.1
!
ikev2 profile B
 authentication B
 lifetime 240
 local-identifier address xx.xx.109.17
 remote-identifier address xx.xx.109.18
 match-identity local address xx.xx.109.17
 match-identity remote address xx.xx.109.18
!
ikev2 profile C
 authentication C
 lifetime 240
 local-identifier address xx.xx.109.5
 remote-identifier address xx.xx.109.6
 match-identity local address xx.xx.109.5
 match-identity remote address xx.xx.109.6
!
ikev2 profile D
 authentication D
 lifetime 240
 local-identifier address xx.xx.109.29
 remote-identifier address xx.xx.109.30
 match-identity local address xx.xx.109.29
 match-identity remote address xx.xx.109.30
!
ikev2 profile E
 authentication E
 lifetime 240
 local-identifier address xx.xx.109.33
 remote-identifier address xx.xx.109.34
 match-identity local address xx.xx.109.33
 match-identity remote address xx.xx.109.34
!
ikev2 profile F
 authentication F
 lifetime 240
 local-identifier address xx.xx.109.37
 remote-identifier address xx.xx.109.38
 match-identity local address xx.xx.109.37
 match-identity remote address xx.xx.109.38
!
ikev2 profile G
 authentication G
 lifetime 240
 local-identifier address xx.xx.109.41
 remote-identifier address xx.xx.109.42
 match-identity local address xx.xx.109.41
 match-identity remote address xx.xx.109.42
!
ikev2 profile H
 authentication H
 lifetime 240
 local-identifier address xx.xx.109.45
 remote-identifier address xx.xx.109.46
 match-identity local address xx.xx.109.45
 match-identity remote address xx.xx.109.46

!

ipsec profile A
 ike-profile A
!
ipsec profile B
 ike-profile B
!
ipsec profile C
 ike-profile C
!
ipsec profile D
 ike-profile D
!
ipsec profile E
 ike-profile E
!
ipsec profile F
 ike-profile F
!
ipsec profile G
 ike-profile G
!
ipsec profile H
 ike-profile H

!

interface tunnel A
 port-name A
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile A
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.2
 disable
 bandwidth 1000000
 ip address xx.xx.109.2 255.255.255.252
 ip mtu 1425

!

interface tunnel 1
 port-name B
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile B
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.18
 bandwidth 1000000
 ip address xx.xx.109.17 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 2
 port-name C
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile C
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.6
 bandwidth 1000000
 ip address xx.xx.109.5 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 3
 port-name D
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile D
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.30
 disable
 bandwidth 1000000
 ip address xx.xx.109.29 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 4
 port-name E
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile E
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.34
 bandwidth 1000000
 ip address xx.xx.109.33 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 6
 port-name F
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile F
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.38
 bandwidth 1000000
 ip address xx.xx.109.37 255.255.255.252
!
!
interface tunnel 7
 port-name G
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile G
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.42
 disable
 bandwidth 1000000
 ip address xx.xx.109.41 255.255.255.252
 ip mtu 1425
!
!
interface tunnel 8
 port-name H
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile H
 tunnel source xx.xx.3.1
 tunnel destination xx.xx.109.46
 disable
 bandwidth 1000000
 ip address xx.xx.109.45 255.255.255.252
 ip mtu 1425
!
!

0 Kudos
3 REPLIES 3
Copyright © 2024 Khoros, LLC