02-27-2016 10:07 AM - edited 03-12-2019 12:24 AM
Hi Everyone,
Cisco ASA phase 1 failing
Feb 27 2016 10:56:43: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 27 2016 10:56:43: %ASA-3-713048: IP = 184.71.x.x, Error processing payload: Payload ID: 1
Feb 27 2016 10:56:45: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
i am only using ikev1 policy 10 but system shows so many policies
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash md5
group 5
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
should i delete all other crypto ikev1 polices except 10?
Regards
MAhesh
Solved! Go to Solution.
02-28-2016 12:49 PM
really? the config you posted had it there:
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC crypto map CRYPTO-MAP 1 set pfs group5 crypto map CRYPTO-MAP 1 set peer 184.71.241.62 crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM <--- More ---> crypto map CRYPTO-MAP 1 set security-association lifetime seconds 86400
--
Please remember to select a correct answer and rate helpful posts
02-28-2016 01:08 PM
What actuall i did was yesterday i changed the subnets inside the object network on the cisco ASA.
Today i deleted the ACL and old network objects and added the new one.
Also added the ACL and NAT again
Seems issue was when you change the contents of the object group then it is good to remove the ACL and readd it again and i was not doing this yesterday.
You are right that config was there.
Learned something new today.
Regards
Mahesh
02-27-2016 05:37 PM
On Palo Alto
1. tail
2. Go to Monitor > System >
In the search
3. Initiate the tunnel.
4. Check the output of 1st and 2nd.
On ASA:
1.
debug crypto condition peer x.x.x.x (ip of
debug crypto isakmp 200
debug crypto ipsec 200
Here is a document that you can refer to verify the VPN tunnel on both firewalls:-
https://live.paloaltonetworks.com/docs/DOC-3464
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
02-27-2016 05:53 PM
PA
tail follow yes mp-log ikemgr.log
2016-02-27 18:43:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:20 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:0000000000000000 <====
2016-02-27 18:43:20 [INFO]: received Vendor ID: FRAGMENTATION
2016-02-27 18:43:20 [INFO]: received Vendor ID: CISCO-UNITY
2016-02-27 18:43:20 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2016-02-27 18:43:20 [INFO]: received Vendor ID: DPD
2016-02-27 18:43:20 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf lifetime 86400 Sec <====
2016-02-27 18:43:26 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:36 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:46 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:43:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:06 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:16 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=a6c6be46186bbf71 31d44e89ea836da2 (size=16).
2016-02-27 18:44:20 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 184.71.241.62[500]-68.145.154.173[500] cookie:a6c6be46186bbf71:31d44e89ea836da2 <====
2016-02-27 18:44:20 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 184.71.241.62[500]-68.145.154.173[500] cookie:a6c6be46186bbf71:31d44e89ea836da2 <====
2016-02-27 18:44:21 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf <====
2016-02-27 18:44:21 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 184.71.241.62[500]-68.145.154.173[500] cookie:c71da722ac08d724:68407da551bafecf <====
I have added the log info from the PA.
Will do the same for Cisco
Regards
MAhesh
02-27-2016 06:26 PM
Log from Cisco
Feb 27 2016 19:02:49: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 184.71.241.62
Feb 27 2016 19:02:49: %ASA-5-713119: Group = 184.71.241.62, IP = 184.71.241.62, PHASE 1 COMPLETED
Debug output
Feb 27 2016 19:24:46: %ASA-7-715036: Group = 184.71.241.62, IP = 184.71.241.62, Sending keep-alive of type DPD R-U-THERE (seq number 0x21a80545)
Feb 27 2016 19:24:46: %ASA-7-715046: Group = 184.71.241.62, IP = 184.71.241.62, constructing blank hash payload
Feb 27 2016 19:24:46: %ASA-7-715046: Group = 184.71.241.62, IP = 184.71.241.62, constructing qm hash payload
Feb 27 2016 19:24:46: %ASA-7-713236: IP = 184.71.241.62, IKE_DECODE SENDING Message (msgid=37a2d4fd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 27 2016 19:24:46: %ASA-7-713236: IP = 184.71.241.62, IKE_DECODE RECEIVED Message (msgid=123be3c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 27 2016 19:24:46: %ASA-7-715047: Group = 184.71.241.62, IP = 184.71.241.62, processing hash payload
Feb 27 2016 19:24:46: %ASA-7-715047: Group = 184.71.241.62, IP = 184.71.241.62, processing notify payload
Feb 27 2016 19:24:46: %ASA-7-715075: Group = 184.71.241.62, IP = 184.71.241.62, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x21a80545)
02-27-2016 05:15 PM
As stated by my peer Marius, " QM FSM error" is pertaining to Phase 2 attributes mismatch
so please confirm they are matching on both sides.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide