Solved: Mahesh,

mahesh18 · ‎02-27-2016

Hi Everyone,

Cisco ASA phase 1 failing

Feb 27 2016 10:56:43: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 27 2016 10:56:43: %ASA-3-713048: IP = 184.71.x.x, Error processing payload: Payload ID: 1
Feb 27 2016 10:56:45: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

i am only using ikev1 policy 10 but system shows so many policies

crypto ikev1 policy 10
authentication crack
encryption aes-256
hash md5
group 5
lifetime 86400

crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

should i delete all other crypto ikev1 polices except 10?

Regards

MAhesh

Marius Gunnerud · ‎02-27-2016

It seems to be complaining that the crypto map is not configured for this particular peer. If it is configured, check that the crypto ACLs are mirror images of eachother. If this is correct check if PFS is configured on one side and not the other. If you are still having issues after checking these, please post your full configuration (remove public IPs and usernames / passwords).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Dinesh Moudgil · ‎02-27-2016

On Palo Alto

1. tail follow yes mp-log ikemgr.log

2. Go to Monitor > System >
In the search field , type "( subtype eq vpn )" to filter the logs.

3. Initiate the tunnel.

4. Check the output of 1st and 2nd.

On ASA:
1.
debug crypto condition peer x.x.x.x (ip of remote peer)
debug crypto isakmp 200
debug crypto ipsec 200

Here is a document that you can refer to verify the VPN tunnel on both firewalls:-
https://live.paloaltonetworks.com/docs/DOC-3464

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

mahesh18 · ‎02-27-2016

i deleted all the crypto ikev1 policies other than 10 now i see below error only

Feb 27 2016 11:11:54: %ASA-6-302015: Built inbound UDP connection 10603 for outside:184.71.x.x/500 (184.71.x.x/500) to identity:68.145.154.x/500 (68.145.154.x/500)
Feb 27 2016 11:11:54: %ASA-3-713048: IP = 184.71.x.x, Error processing payload: Payload ID: 1

Dinesh Moudgil · ‎02-27-2016

Mahesh,

Can you please share the complete output of the following debug command?
debug crypto condition peer <x.x.x.x>
debug crypto isakmp 200

x.x.x.x being peer IP

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

mahesh18 · ‎02-27-2016

Hi Dinesh,

Phase 1 is working but now issue is with phase2.

Phase 1 issue was fixed as i have typo in authentication.

Here is error from ASA

Feb 27 2016 17:15:30: %ASA-3-713061: Group = 184.71.241.x, IP = 184.71.241.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.255.0/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface outside
Feb 27 2016 17:15:30: %ASA-3-713902: Group = 184.71.241.x, IP = 184.71.241.x, QM FSM error (P2 struct &0xcc18c788, mess id 0xd9728a94)!
Feb 27 2016 17:15:30: %ASA-3-713902: Group = 184.71.241.x, IP = 184.71.241.x, Removing peer from correlator table failed, no match!
Feb 27 2016 17:15:30: %ASA-5-713259: Group = 184.71.241.x, IP = 184.71.241.x, Session is being torn down. Reason: crypto map policy not found
Feb 27 2016 17:15:30: %ASA-4-113019: Group = 184.71.241.x, Username = 184.71.241.x, IP = 164.51.231.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:06m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
Feb 27 2016 17:15:32: %ASA-5-713904: IP = 184.71.241.x, Received encrypted packet with no matching SA, dropping
Feb 27 2016 17:15:35: %ASA-5-713904: IP = 184.71.241.x, Received encrypted packet with no matching SA, dropping
Feb 27 2016 17:15:40: %ASA-5-713904: IP = 184.71.241.x, Received encrypted packet with no matching SA, dropping

Regards

MAhesh

Marius Gunnerud · ‎02-27-2016

It seems to be complaining that the crypto map is not configured for this particular peer. If it is configured, check that the crypto ACLs are mirror images of eachother. If this is correct check if PFS is configured on one side and not the other. If you are still having issues after checking these, please post your full configuration (remove public IPs and usernames / passwords).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-27-2016

Hi Marius,

Crypto ACL is matched at both ends.

ASA

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group5
crypto map CRYPTO-MAP 1 set peer 184.71.241.x
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside

Shows PFS is group 5.

Other end is PALO ALTO firewall and it also has DH ---Group5.

Regards

MAhesh

Marius Gunnerud · ‎02-27-2016

Does the Palo Alto have another route to the ASA through another interface perhaps? I have come across a similar issue between ASA and Palo Alto where the Palo Alto established phase 1 through one interface and then sendt phase 2 through a second interface that was also had a route to the ASA.

Would you be able to post the configuration for the ASA and Palo Alto, if the above is not the case.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-27-2016

PA management interface is on same subnet as Cisco LAN that is 10.0.0.0.

Can this cause the issue?

How can i send you config from Palo alto?

Marius Gunnerud · ‎02-27-2016

You can take screenshots from Palo Alto.

Also a full running config from the ASA would be good.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-27-2016

I have attached screenshots from PA

and full config from ASA

Regards

MAhesh

Marius Gunnerud · ‎02-27-2016

It looks correct. Have you double checked that the PSK is correct? perhaps re-enter it at both ends of the tunnel.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-28-2016

I put the PSK on both devices still same issue.

Logs from ASA

Feb 28 2016 12:49:26: %ASA-6-302015: Built inbound UDP connection 36387 for outside:184.71.241.62/500 (184.71.241.62/500) to identity:68.145.154.173/500 (68.145.154.173/500)
Feb 28 2016 12:49:26: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 184.71.241.62
Feb 28 2016 12:49:26: %ASA-5-713119: Group = 184.71.241.62, IP = 184.71.241.62, PHASE 1 COMPLETED
Feb 28 2016 12:49:26: %ASA-3-713061: Group = 184.71.241.62, IP = 184.71.241.62, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.255.0/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface outside
Feb 28 2016 12:49:26: %ASA-3-713902: Group = 184.71.241.62, IP = 184.71.241.62, QM FSM error (P2 struct &0xcc047590, mess id 0x13a9e9fd)!
Feb 28 2016 12:49:26: %ASA-3-713902: Group = 184.71.241.62, IP = 184.71.241.62, Removing peer from correlator table failed, no match!
Feb 28 2016 12:49:26: %ASA-5-713259: Group = 184.71.241.62, IP = 184.71.241.62, Session is being torn down. Reason: crypto map policy not found
Feb 28 2016 12:49:26: %ASA-4-113019: Group = 184.71.241.62, Username = 184.71.241.62, IP = 164.51.231.204, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Marius Gunnerud · ‎02-28-2016

Your ASA configuration looks fine. I believe the issue is on the Palo Alto and how it handles the VPN traffic. Unfortunately my knowledge of Palo Alto is very deep.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-28-2016

I will keep troubleshooting will update you.

Best Regards

Mahesh

mahesh18 · ‎02-28-2016

Phase 2 is up now seems ASA was missing

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC

Regards

Mahesh

IPSEC phase 1 is working now but Phase 2 failing