Solved: IPSEC phase 1 is working now but Phase 2 failing - Page 2

mahesh18 · ‎02-27-2016

Hi Everyone,

Cisco ASA phase 1 failing

Feb 27 2016 10:56:43: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 27 2016 10:56:43: %ASA-3-713048: IP = 184.71.x.x, Error processing payload: Payload ID: 1
Feb 27 2016 10:56:45: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

i am only using ikev1 policy 10 but system shows so many policies

crypto ikev1 policy 10
authentication crack
encryption aes-256
hash md5
group 5
lifetime 86400

crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

should i delete all other crypto ikev1 polices except 10?

Regards

MAhesh

Marius Gunnerud · ‎02-28-2016

really? the config you posted had it there:

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group5
crypto map CRYPTO-MAP 1 set peer 184.71.241.62 
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
<--- More --->
              
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 86400

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-28-2016

What actuall i did was yesterday i changed the subnets inside the object network on the cisco ASA.

Today i deleted the ACL and old network objects and added the new one.

Also added the ACL and NAT again

Seems issue was when you change the contents of the object group then it is good to remove the ACL and readd it again and i was not doing this yesterday.

You are right that config was there.

Learned something new today.

Regards

Mahesh

Dinesh Moudgil · ‎02-27-2016

On Palo Alto

1. tail follow yes mp-log ikemgr.log

2. Go to Monitor > System >
In the search field , type "( subtype eq vpn )" to filter the logs.

3. Initiate the tunnel.

4. Check the output of 1st and 2nd.

On ASA:
1.
debug crypto condition peer x.x.x.x (ip of remote peer)
debug crypto isakmp 200
debug crypto ipsec 200

Here is a document that you can refer to verify the VPN tunnel on both firewalls:-
https://live.paloaltonetworks.com/docs/DOC-3464

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

mahesh18 · ‎02-27-2016

PA

tail follow yes mp-log ikemgr.log
2016-02-27 18:43:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:20 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:0000000000000000 <====
2016-02-27 18:43:20 [INFO]: received Vendor ID: FRAGMENTATION
2016-02-27 18:43:20 [INFO]: received Vendor ID: CISCO-UNITY
2016-02-27 18:43:20 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2016-02-27 18:43:20 [INFO]: received Vendor ID: DPD
2016-02-27 18:43:20 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf lifetime 86400 Sec <====
2016-02-27 18:43:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:20 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 184.71.241.62[500]-68.145.154.173[500] cookie:a6c6be46186bbf71:31d44e89ea836da2 <====
2016-02-27 18:44:20 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 184.71.241.62[500]-68.145.154.173[500] cookie:a6c6be46186bbf71:31d44e89ea836da2 <====
2016-02-27 18:44:21 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf <====
2016-02-27 18:44:21 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf <====

I have added the log info from the PA.

Will do the same for Cisco

Regards

MAhesh

mahesh18 · ‎02-27-2016

Log from Cisco

Feb 27 2016 19:02:49: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 184.71.241.62
Feb 27 2016 19:02:49: %ASA-5-713119: Group = 184.71.241.62, IP = 184.71.241.62, PHASE 1 COMPLETED

Debug output

Feb 27 2016 19:24:46: %ASA-7-715036: Group = 184.71.241.62, IP = 184.71.241.62, Sending keep-alive of type DPD R-U-THERE (seq number 0x21a80545)
Feb 27 2016 19:24:46: %ASA-7-715046: Group = 184.71.241.62, IP = 184.71.241.62, constructing blank hash payload
Feb 27 2016 19:24:46: %ASA-7-715046: Group = 184.71.241.62, IP = 184.71.241.62, constructing qm hash payload
Feb 27 2016 19:24:46: %ASA-7-713236: IP = 184.71.241.62, IKE_DECODE SENDING Message (msgid=37a2d4fd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 27 2016 19:24:46: %ASA-7-713236: IP = 184.71.241.62, IKE_DECODE RECEIVED Message (msgid=123be3c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 27 2016 19:24:46: %ASA-7-715047: Group = 184.71.241.62, IP = 184.71.241.62, processing hash payload
Feb 27 2016 19:24:46: %ASA-7-715047: Group = 184.71.241.62, IP = 184.71.241.62, processing notify payload
Feb 27 2016 19:24:46: %ASA-7-715075: Group = 184.71.241.62, IP = 184.71.241.62, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x21a80545)

Dinesh Moudgil · ‎02-27-2016

As stated by my peer Marius, " QM FSM error" is pertaining to Phase 2 attributes mismatch
so please confirm they are matching on both sides.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/