topic You can take screenshots from in Network Security

IPSEC phase 1 is working now but Phase 2 failing

mahesh18 — Tue, 12 Mar 2019 07:24:43 GMT

Hi Everyone,

Cisco ASA phase 1 failing

Feb 27 2016 10:56:43: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 27 2016 10:56:43: %ASA-3-713048: IP = 184.71.x.x, Error processing payload: Payload ID: 1
Feb 27 2016 10:56:45: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

i am only using ikev1 policy 10 but system shows so many policies

crypto ikev1 policy 10
authentication crack
encryption aes-256
hash md5
group 5
lifetime 86400

crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

should i delete all other crypto ikev1 polices except 10?

Regards

MAhesh

i deleted all the crypto

mahesh18 — Sat, 27 Feb 2016 18:13:46 GMT

i deleted all the crypto ikev1 policies other than 10 now i see below error only

Feb 27 2016 11:11:54: %ASA-6-302015: Built inbound UDP connection 10603 for outside:184.71.x.x/500 (184.71.x.x/500) to identity:68.145.154.x/500 (68.145.154.x/500)
Feb 27 2016 11:11:54: %ASA-3-713048: IP = 184.71.x.x, Error processing payload: Payload ID: 1

Mahesh,

Dinesh Moudgil — Sat, 27 Feb 2016 18:21:58 GMT

Mahesh,

Can you please share the complete output of the following debug command?
debug crypto condition peer <x.x.x.x>
debug crypto isakmp 200

x.x.x.x being peer IP

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Dinesh,

mahesh18 — Sun, 28 Feb 2016 01:01:05 GMT

Hi Dinesh,

Phase 1 is working but now issue is with phase2.

Phase 1 issue was fixed as i have typo in authentication.

Here is error from ASA

Feb 27 2016 17:15:30: %ASA-3-713061: Group = 184.71.241.x, IP = 184.71.241.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.255.0/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface outside
Feb 27 2016 17:15:30: %ASA-3-713902: Group = 184.71.241.x, IP = 184.71.241.x, QM FSM error (P2 struct &0xcc18c788, mess id 0xd9728a94)!
Feb 27 2016 17:15:30: %ASA-3-713902: Group = 184.71.241.x, IP = 184.71.241.x, Removing peer from correlator table failed, no match!
Feb 27 2016 17:15:30: %ASA-5-713259: Group = 184.71.241.x, IP = 184.71.241.x, Session is being torn down. Reason: crypto map policy not found
Feb 27 2016 17:15:30: %ASA-4-113019: Group = 184.71.241.x, Username = 184.71.241.x, IP = 164.51.231.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:06m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
Feb 27 2016 17:15:32: %ASA-5-713904: IP = 184.71.241.x, Received encrypted packet with no matching SA, dropping
Feb 27 2016 17:15:35: %ASA-5-713904: IP = 184.71.241.x, Received encrypted packet with no matching SA, dropping
Feb 27 2016 17:15:40: %ASA-5-713904: IP = 184.71.241.x, Received encrypted packet with no matching SA, dropping

Regards

MAhesh

It seems to be complaining

Marius Gunnerud — Sun, 28 Feb 2016 01:01:06 GMT

It seems to be complaining that the crypto map is not configured for this particular peer. If it is configured, check that the crypto ACLs are mirror images of eachother. If this is correct check if PFS is configured on one side and not the other. If you are still having issues after checking these, please post your full configuration (remove public IPs and usernames / passwords).

Please remember to select a correct answer and rate helpful posts

As stated by my peer Marius,

Dinesh Moudgil — Sun, 28 Feb 2016 01:15:56 GMT

As stated by my peer Marius, " QM FSM error" is pertaining to Phase 2 attributes mismatch
so please confirm they are matching on both sides.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi Marius,

mahesh18 — Sun, 28 Feb 2016 01:23:27 GMT

Hi Marius,

Crypto ACL is matched at both ends.

ASA

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group5
crypto map CRYPTO-MAP 1 set peer 184.71.241.x
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside

Shows PFS is group 5.

Other end is PALO ALTO firewall and it also has DH ---Group5.

Regards

MAhesh

Does the Palo Alto have

Marius Gunnerud — Sun, 28 Feb 2016 01:31:25 GMT

Does the Palo Alto have another route to the ASA through another interface perhaps? I have come across a similar issue between ASA and Palo Alto where the Palo Alto established phase 1 through one interface and then sendt phase 2 through a second interface that was also had a route to the ASA.

Would you be able to post the configuration for the ASA and Palo Alto, if the above is not the case.

Please remember to select a correct answer and rate helpful posts

On Palo Alto1. tail follow

Dinesh Moudgil — Sun, 28 Feb 2016 01:37:32 GMT

On Palo Alto

1. tail follow yes mp-log ikemgr.log

2. Go to Monitor > System >
In the search field , type "( subtype eq vpn )" to filter the logs.

3. Initiate the tunnel.

4. Check the output of 1st and 2nd.

On ASA:
1.
debug crypto condition peer x.x.x.x (ip of remote peer)
debug crypto isakmp 200
debug crypto ipsec 200

Here is a document that you can refer to verify the VPN tunnel on both firewalls:-
https://live.paloaltonetworks.com/docs/DOC-3464

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

PA

mahesh18 — Sun, 28 Feb 2016 01:53:42 GMT

tail follow yes mp-log ikemgr.log
2016-02-27 18:43:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:20 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:0000000000000000 <====
2016-02-27 18:43:20 [INFO]: received Vendor ID: FRAGMENTATION
2016-02-27 18:43:20 [INFO]: received Vendor ID: CISCO-UNITY
2016-02-27 18:43:20 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2016-02-27 18:43:20 [INFO]: received Vendor ID: DPD
2016-02-27 18:43:20 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf lifetime 86400 Sec <====
2016-02-27 18:43:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:20 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 184.71.241.62[500]-68.145.154.173[500] cookie:a6c6be46186bbf71:31d44e89ea836da2 <====
2016-02-27 18:44:20 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 184.71.241.62[500]-68.145.154.173[500] cookie:a6c6be46186bbf71:31d44e89ea836da2 <====
2016-02-27 18:44:21 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf <====
2016-02-27 18:44:21 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf <====

I have added the log info from the PA.

Will do the same for Cisco

Regards

MAhesh

PA management interface is on

mahesh18 — Sun, 28 Feb 2016 02:15:59 GMT

PA management interface is on same subnet as Cisco LAN that is 10.0.0.0.

Can this cause the issue?

How can i send you config from Palo alto?

Log from Cisco

mahesh18 — Sun, 28 Feb 2016 02:26:07 GMT

Log from Cisco

Feb 27 2016 19:02:49: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 184.71.241.62
Feb 27 2016 19:02:49: %ASA-5-713119: Group = 184.71.241.62, IP = 184.71.241.62, PHASE 1 COMPLETED

Debug output

Feb 27 2016 19:24:46: %ASA-7-715036: Group = 184.71.241.62, IP = 184.71.241.62, Sending keep-alive of type DPD R-U-THERE (seq number 0x21a80545)
Feb 27 2016 19:24:46: %ASA-7-715046: Group = 184.71.241.62, IP = 184.71.241.62, constructing blank hash payload
Feb 27 2016 19:24:46: %ASA-7-715046: Group = 184.71.241.62, IP = 184.71.241.62, constructing qm hash payload
Feb 27 2016 19:24:46: %ASA-7-713236: IP = 184.71.241.62, IKE_DECODE SENDING Message (msgid=37a2d4fd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 27 2016 19:24:46: %ASA-7-713236: IP = 184.71.241.62, IKE_DECODE RECEIVED Message (msgid=123be3c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 27 2016 19:24:46: %ASA-7-715047: Group = 184.71.241.62, IP = 184.71.241.62, processing hash payload
Feb 27 2016 19:24:46: %ASA-7-715047: Group = 184.71.241.62, IP = 184.71.241.62, processing notify payload
Feb 27 2016 19:24:46: %ASA-7-715075: Group = 184.71.241.62, IP = 184.71.241.62, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x21a80545)

You can take screenshots from

Marius Gunnerud — Sun, 28 Feb 2016 02:39:34 GMT

You can take screenshots from Palo Alto.

Also a full running config from the ASA would be good.

Please remember to select a correct answer and rate helpful posts

I have attached screenshots

mahesh18 — Sun, 28 Feb 2016 03:18:02 GMT

I have attached screenshots from PA

and full config from ASA

Regards

MAhesh

It looks correct. Have you

Marius Gunnerud — Sun, 28 Feb 2016 06:48:23 GMT

It looks correct. Have you double checked that the PSK is correct? perhaps re-enter it at both ends of the tunnel.

Please remember to select a correct answer and rate helpful posts

I put the PSK on both devices

mahesh18 — Sun, 28 Feb 2016 19:54:48 GMT

I put the PSK on both devices still same issue.

Logs from ASA

Feb 28 2016 12:49:26: %ASA-6-302015: Built inbound UDP connection 36387 for outside:184.71.241.62/500 (184.71.241.62/500) to identity:68.145.154.173/500 (68.145.154.173/500)
Feb 28 2016 12:49:26: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 184.71.241.62
Feb 28 2016 12:49:26: %ASA-5-713119: Group = 184.71.241.62, IP = 184.71.241.62, PHASE 1 COMPLETED
Feb 28 2016 12:49:26: %ASA-3-713061: Group = 184.71.241.62, IP = 184.71.241.62, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.255.0/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface outside
Feb 28 2016 12:49:26: %ASA-3-713902: Group = 184.71.241.62, IP = 184.71.241.62, QM FSM error (P2 struct &0xcc047590, mess id 0x13a9e9fd)!
Feb 28 2016 12:49:26: %ASA-3-713902: Group = 184.71.241.62, IP = 184.71.241.62, Removing peer from correlator table failed, no match!
Feb 28 2016 12:49:26: %ASA-5-713259: Group = 184.71.241.62, IP = 184.71.241.62, Session is being torn down. Reason: crypto map policy not found
Feb 28 2016 12:49:26: %ASA-4-113019: Group = 184.71.241.62, Username = 184.71.241.62, IP = 164.51.231.204, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Your ASA configuration looks

Marius Gunnerud — Sun, 28 Feb 2016 19:56:47 GMT

Your ASA configuration looks fine. I believe the issue is on the Palo Alto and how it handles the VPN traffic. Unfortunately my knowledge of Palo Alto is very deep.

Please remember to select a correct answer and rate helpful posts

I will keep troubleshooting

mahesh18 — Sun, 28 Feb 2016 20:00:22 GMT

I will keep troubleshooting will update you.

Best Regards

Mahesh

Phase 2 is up now seems ASA

mahesh18 — Sun, 28 Feb 2016 20:32:37 GMT

Phase 2 is up now seems ASA was missing

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC

Regards

Mahesh

really? the config you

Marius Gunnerud — Sun, 28 Feb 2016 20:49:33 GMT

really? the config you posted had it there:

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group5
crypto map CRYPTO-MAP 1 set peer 184.71.241.62 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
<--- More --->
              
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 86400

Please remember to select a correct answer and rate helpful posts