Re: Phase 2 Mismatch Error

chris.bias · ‎03-31-2022

Getting this error on a production site to site VPN when it comes with a Phase 2 mismatch (see attached config):

%ASA-4-106023: Deny protocol src 
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)] 
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)] 
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]

A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.

balaji.bandi · ‎03-31-2022

post the real Log message - we are aware of this ASA log 106023 with an explanation.

Tell what ASA device model, what code running here ? what is other side of the device :

there is also given recommendation - have you taken any action :

Recommended Action If messages persist from the same source address, footprinting or port scanning attempt might be occurring. Contact the remote host administrator.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

chris.bias · ‎04-01-2022

Please see the log that is attached. The IP address in question is 69.167.161.53 so you have to do a search on the word document. The device is an ASA 5506 PowerSeries.

chris.bias · ‎04-06-2022

@balaji.bandi were you able to look at the config and prior message.

Marius Gunnerud · ‎04-06-2022

Is this a question about the VPN not being established or the ACL deny log?

The VPN is not being established because there is a mismatch in the crypto ACL (most likely).

--
Please remember to select a correct answer and rate helpful posts

chris.bias · ‎04-06-2022

@Marius Gunnerud Correct the VPN lost it's connection during phase 2 as phase 1 connects. Would me configuring a RAVPN have anything to do with this? I was told it wouldn't as all other site to site VPNs are working.

chris.bias · ‎04-11-2022

@balaji.bandiand @Marius Gunnerud any thoughts on this?

Marius Gunnerud · ‎04-12-2022

No RAVPN and S2S VPN can co-exist on the same device and configuring one does not affect the other (unless you have inadvertently changed the S2S VPN configuration during RAVPN configuration).

As I mentioned in my last post, check that your crypto domain (crypto ACL) is correct on both sides of the VPN tunnel.

--
Please remember to select a correct answer and rate helpful posts

chris.bias · ‎04-12-2022

@Marius Gunnerudand @balaji.bandi even if I used a different port for the RAVPN?

Jon Marshall · ‎04-12-2022

As already pointed out there is no matching entry in the crypto map and that is why it is not coming up.

Check your crypto map acl.

Jon

chris.bias · ‎04-18-2022

Issue was on the vendor's side issue was corrected.