Home > CISCO, Security > Troubleshooting ISAKMP Phase 1 Messages – Part 2

Troubleshooting ISAKMP Phase 1 Messages – Part 2

January 24th, 2014

This post explains the IKE Debug message: “Duplicate first packet detected”

This event is logged when packets do not reach their destination, usually due to network routing problems. The Phase 1 IKE exchange between the tunnel peers fail at MM_WAIT_MSG2

( see: Troubleshooting ISAKMP Phase 1 Messages – Part 1 to understand the IKE Messages further)

1) IKE initator sends MM_SND_MSG1 and goes into MM_WAIT_MSG2 state
2) IKE responder receives MM_SND_MSG1 and sends MM_SND_MSG2 back to the initiator and goes into a MM_WAIT_MSG3 state, expecting MM_SND_MSG3 as the next exchage from the initiator
3) IKE initiator having not received MM_SND_MSG2 from the responder, resends MM_SND_MSG1, resulting in the “Duplicate first packet detected” being logged on the responder.

In the debug (from the initiator) you can see this occuring:

Jan 24 09:02:44 [IKEv1 DEBUG]: IP = 123.123.123.123, IKE MM Initiator FSM error history (struct &0xafd4cc28)  <state>, <event>:  MM_DONE, EV_ERROR–>MM_WAIT_MSG2, EV_RETRY–>MM_WAIT_MSG2, EV_TIMEOUT–>MM_WAIT_MSG2, NullEvent–>MM_SND_MSG1, EV_SND_MSG–>MM_SND_MSG1, EV_START_TMR–>MM_SND_MSG1, EV_RESEND_MSG–>MM_WAIT_MSG2, EV_RETRY

On the responder you can see that MSG1 arrived and to the responder returned MSG2 back to thie initiator – but it never arrives!  The initiator stays at MM_WAIT_MSG3 and then re-sends MSG2.  The IKE responder receives MM_SND_MSG1 a second time and logs “Duplicate first packet detected”.  This process repeats three times and then the tunnel is torn down.

Jan 24 14:10:25 [IKEv1]IP = 123.123.123.123, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jan 24 14:10:33 [IKEv1 DEBUG]IP = 123.123.123.123, IKE MM Responder FSM error history (struct &0x00007fff377c82e0)  <state>, <event>:  MM_DONE, EV_ERROR–>MM_WAIT_MSG3, EV_TIMEOUT–>MM_WAIT_MSG3, NullEvent–>MM_SND_MSG2, EV_SND_MSG–>MM_SND_MSG2, EV_START_TMR–>MM_SND_MSG2, EV_RESEND_MSG–>MM_WAIT_MSG3, EV_TIMEOUT–>MM_WAIT_MSG3, NullEvent
Jan 24 14:10:33 [IKEv1 DEBUG]IP = 123.123.123.123, IKE SA MM:fc0b05cf terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 24 14:10:33 [IKEv1 DEBUG]IP = 123.123.123.123, sending delete/delete with reason message

In this case the problem was the absence of a default route out of the outside interface on the Cisco ASA 5525 (the router has been defaulted and this was an omission).

Categories: CISCO, Security Tags: , ,
Comments are closed.