In a fully meshed IPSec VPN of PIXen - one 515E, five 501s, all running software release 6.3(5) - one of the 501s is causing lots of log messages like these to appear on our central syslog server:
Aug 28 07:47:42 %PIX-7-702205: ISAKMP Phase 2 retransmission (local (initiator), remote , message-ID Aug 28 07:47:42 %PIX-7-702207: ISAKMP duplicate packet detected (local (responder), remote , message-ID Aug 28 07:47:47 %PIX-7-702205: ISAKMP Phase 2 retransmission (local (initiator), remote , message-ID Aug 28 07:47:47 %PIX-7-702205: ISAKMP Phase 2 retransmission (local (responder), remote , message-ID Aug 28 07:47:47 %PIX-7-702207: ISAKMP duplicate packet detected (local (responder), remote , message-ID
being the IP address of the PIX in question, and that of one of the other PIXen (not seen it with the 515E yet but that's probably because these particular two have very little traffic to exchange). That block of messages typically repeats every 10 seconds for the duration of the data exchange over that particular tunnel, but sometimes the frequency increases.
The users of that connection haven't raised any complaints so far, whatever that means.
My working hypothesis is that this is caused by the bandwidth asymmetry of the ADSL line which provides the outbound connection of that PIX. If that is so, what can or should I do, short of replacing the line by a symmetrical one? Can I tune the PIX in any way to take the asymmetry into consideration? Should I just ignore those messages?
Thanks for all comments.