06-30-2011 02:22 PM - edited 03-11-2019 01:53 PM
Hello,
I am trying to establish a tunnel with a NetGear VPN appliance, and am receiving the error: Unknown identification type, Phase 2, Type 7.
Here is the config specific to the tunnel:
name 10.200.139.192 CNN description CNN Internal Network
name 10.10.0.0 CNN_RemoteLocalNet description CNN Internal Remote Network
access-list CNN_Tunnel extended permit ip CNN 255.255.255.192 CNN_RemoteLocalNet 255.255.255.0
crypto isakmp identity address
crypto map outside_map 181 match address CNN_Tunnel
crypto map outside_map 181 set peer x.x.x.x
crypto map outside_map 181 set transform-set ESP-3DES-SHA
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key ****
Here is the debug (I blanked out the remote IP):
Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 160
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing SA payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Oakley proposal is acceptable
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal RFC VID
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received DPD VID
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing IKE SA payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715028: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ISAKMP SA payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 248
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ke payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing nonce payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ke payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing nonce payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Cisco Unity VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing xauth V6 VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send IOS VID
Jun 30 14:09:53 10.200.3.10 %ASA-7-715038: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, Generating keys for Responder...
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received
x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Jun 30 14:09:53 10.200.3.10 %ASA-6-713172: Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing ID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing hash payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 30 14:09:53 10.200.3.10 %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
Jun 30 14:09:53 10.200.3.10 %ASA-7-713121: IP = x.x.x.x, Keep-alive type for this connection: DPD
Jun 30 14:09:53 10.200.3.10 %ASA-7-715080: Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 21600 seconds.
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=c4230ffe) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-714003: IP = x.x.x.x, IKE Responder starting QM: msg id = 9f8b4c66
Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=9f8b4c66) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing SA payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing nonce payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ke payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.10.0.0--255.255.255.0
Jun 30 14:09:54 10.200.3.10 %ASA-7-713035: Group = x.x.x.x, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload: Address 10.10.0.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Jun 30 14:09:54 10.200.3.10 %ASA-3-713016: Group = x.x.x.x, IP = x.x.x.x, Unknown identification type, Phase 2, Type 7
Jun 30 14:09:54 10.200.3.10 %ASA-3-713048: Group = x.x.x.x, IP = x.x.x.x, Error processing payload: Payload ID: 5
Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xbb855580, mess id 0x9f8b4c66)!
Jun 30 14:09:54 10.200.3.10 %ASA-7-715065: Group = x.x.x.x, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xbb855580) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b terminating: flags 0x01010002, refcnt 0, tuncnt 0
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing IKE delete payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=2855955e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 30 14:09:54 10.200.3.10 %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Jun 30 14:10:04 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
Jun 30 14:10:14 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
Jun 30 14:10:25 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
07-04-2011 02:32 AM
You only mention that you have a NetGear device? Do you have a Cisco device in the configuration?
THANKS
Rick Roe
Cisco Small Business Support Center
07-07-2011 09:43 AM
Yes, I have a Cisco ASA5540, trying to connect to a Netgear SRX5308 on the other side of the tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide