Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2494
Views
0
Helpful
2
Replies

L2L VPN: Unknown identification type, Phase 2, Type 7

dhawkes
Level 1
Level 1

‎06-30-2011 02:22 PM - edited ‎03-11-2019 01:53 PM

Hello,

I am trying to establish a tunnel with a NetGear VPN appliance, and am receiving the error: Unknown identification type, Phase 2, Type 7.

Here is the config specific to the tunnel:

name 10.200.139.192 CNN description CNN Internal Network

name 10.10.0.0 CNN_RemoteLocalNet description CNN Internal Remote Network

access-list CNN_Tunnel extended permit ip CNN 255.255.255.192 CNN_RemoteLocalNet 255.255.255.0

crypto isakmp identity address

crypto map outside_map 181 match address CNN_Tunnel

crypto map outside_map 181 set peer x.x.x.x

crypto map outside_map 181 set transform-set ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key ****

Here is the debug (I blanked out the remote IP):

Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 160

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing SA payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Oakley proposal is acceptable

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal RFC VID

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received DPD VID

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing IKE SA payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715028: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8

Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ISAKMP SA payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 248

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ke payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing nonce payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ke payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing nonce payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Cisco Unity VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing xauth V6 VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send IOS VID

Jun 30 14:09:53 10.200.3.10 %ASA-7-715038: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, Generating keys for Responder...

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received

x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP

Jun 30 14:09:53 10.200.3.10 %ASA-6-713172: Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing ID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing hash payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Jun 30 14:09:53 10.200.3.10 %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

Jun 30 14:09:53 10.200.3.10 %ASA-7-713121: IP = x.x.x.x, Keep-alive type for this connection: DPD

Jun 30 14:09:53 10.200.3.10 %ASA-7-715080: Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 21600 seconds.

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=c4230ffe) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing notify payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-714003: IP = x.x.x.x, IKE Responder starting QM: msg id = 9f8b4c66

Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=9f8b4c66) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing SA payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing nonce payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ke payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.10.0.0--255.255.255.0

Jun 30 14:09:54 10.200.3.10 %ASA-7-713035: Group = x.x.x.x, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload:   Address 10.10.0.0, Mask 255.255.255.0, Protocol 0, Port 0

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Jun 30 14:09:54 10.200.3.10 %ASA-3-713016: Group = x.x.x.x, IP = x.x.x.x, Unknown identification type, Phase 2, Type 7

Jun 30 14:09:54 10.200.3.10 %ASA-3-713048: Group = x.x.x.x, IP = x.x.x.x, Error processing payload: Payload ID: 5

Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xbb855580, mess id 0x9f8b4c66)!

Jun 30 14:09:54 10.200.3.10 %ASA-7-715065: Group = x.x.x.x, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xbb855580)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b rcv'd Terminate: state MM_ACTIVE  flags 0x00010042, refcnt 1, tuncnt 0

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b terminating:  flags 0x01010002, refcnt 0, tuncnt 0

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing IKE delete payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=2855955e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jun 30 14:09:54 10.200.3.10 %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

Jun 30 14:10:04 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Jun 30 14:10:14 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Jun 30 14:10:25 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Labels:
0 Helpful
2 Replies 2

riroe
Level 3
Level 3

‎07-04-2011 02:32 AM

You only mention that you have a NetGear device?  Do you have a Cisco device in the configuration?

THANKS

Rick Roe

Cisco Small Business Support Center

0 Helpful

dhawkes
Level 1
Level 1
In response to riroe

‎07-07-2011 09:43 AM

Yes, I have a Cisco ASA5540, trying to connect to a Netgear SRX5308 on the other side of the tunnel.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card