topic Re: Phase 2 Mismatch Error in Network Security

Phase 2 Mismatch Error

chris.bias — Thu, 31 Mar 2022 18:10:51 GMT

Getting this error on a production site to site VPN when it comes with a Phase 2 mismatch (see attached config):

%ASA-4-106023: Deny protocol src 
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)] 
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)] 
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]

A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.

Re: Phase 2 Mismatch Error

balaji.bandi — Fri, 01 Apr 2022 04:23:05 GMT

post the real Log message - we are aware of this ASA log 106023 with an explanation.

Tell what ASA device model, what code running here ? what is other side of the device :

there is also given recommendation - have you taken any action :

Recommended Action If messages persist from the same source address, footprinting or port scanning attempt might be occurring. Contact the remote host administrator.

Re: Phase 2 Mismatch Error

chris.bias — Fri, 01 Apr 2022 14:13:38 GMT

Please see the log that is attached. The IP address in question is 69.167.161.53 so you have to do a search on the word document. The device is an ASA 5506 PowerSeries.

Re: Phase 2 Mismatch Error

chris.bias — Wed, 06 Apr 2022 13:15:20 GMT

@balaji.bandi were you able to look at the config and prior message.

Re: Phase 2 Mismatch Error

Marius Gunnerud — Wed, 06 Apr 2022 17:45:05 GMT

Is this a question about the VPN not being established or the ACL deny log?

The VPN is not being established because there is a mismatch in the crypto ACL (most likely).

Re: Phase 2 Mismatch Error

chris.bias — Wed, 06 Apr 2022 18:10:23 GMT

@Marius Gunnerud Correct the VPN lost it's connection during phase 2 as phase 1 connects. Would me configuring a RAVPN have anything to do with this? I was told it wouldn't as all other site to site VPNs are working.

Re: Phase 2 Mismatch Error

chris.bias — Mon, 11 Apr 2022 15:30:02 GMT

@balaji.bandiand @Marius Gunnerud any thoughts on this?

Re: Phase 2 Mismatch Error

Marius Gunnerud — Tue, 12 Apr 2022 07:17:24 GMT

No RAVPN and S2S VPN can co-exist on the same device and configuring one does not affect the other (unless you have inadvertently changed the S2S VPN configuration during RAVPN configuration).

As I mentioned in my last post, check that your crypto domain (crypto ACL) is correct on both sides of the VPN tunnel.

Re: Phase 2 Mismatch Error

chris.bias — Tue, 12 Apr 2022 18:24:43 GMT

@Marius Gunnerudand @balaji.bandi even if I used a different port for the RAVPN?

Re: Phase 2 Mismatch Error

Jon Marshall — Tue, 12 Apr 2022 18:58:28 GMT

As already pointed out there is no matching entry in the crypto map and that is why it is not coming up.

Check your crypto map acl.

Jon

Re: Phase 2 Mismatch Error

chris.bias — Mon, 18 Apr 2022 17:23:42 GMT

Issue was on the vendor's side issue was corrected.