Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ASA 8.2 ipsec ike phase2 failure

3moloz123
Level 1
Level 1

‎12-29-2010 10:12 AM - edited ‎02-21-2020 05:03 PM

I used the wizard for remote access vpn, IPSEC, on a ASA 5510 security+ running os version 8.2.

Group: adminsbbs

User: adminuser

While connecting using the client, it says "securing communications..", then it blinks and it's disconnected. Hoping that the following debug output will help you help me, so I don't have to grab config.

What seem to be the cause for IKE phase 2 failure?

From the ASA device:

asa01# Dec 29 18:54:16 [IKEv1 DEBUG]: IP = 3.4.249.124, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False

Dec 29 18:54:16 [IKEv1]: IP = 3.4.249.124, Connection landed on tunnel_group adminsbbs

Dec 29 18:54:16 [IKEv1 DEBUG]: Group = adminsbbs, IP = 3.4.249.124, IKE SA Proposal # 1, Transform # 10 acceptable  Matches global IKE entry # 1

Dec 29 18:54:16 [IKEv1]: Group = adminsbbs, IP = 3.4.249.124, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, User (adminuser) authenticated.

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Received unsupported transaction mode attribute: 5

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Client Type: Mac OS X  Client Application Version: 4.9.01 (0100)

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Assigned private IP address 172.16.20.1 to remote user

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, PHASE 1 COMPLETED

Dec 29 18:54:26 [IKEv1]: IP = 3.4.249.124, Keep-alive type for this connection: DPD

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Starting P1 rekey timer: 82080 seconds.

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Received remote Proxy Host data in ID Payload:  Address 172.16.20.1, Protocol 0, Port 0

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Received local IP Proxy Subnet data in ID Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, QM IsRekeyed old sa not found by addr

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, IKE Remote Peer configured for crypto map: outside_dyn_map

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, processing IPSec SA payload

Dec 29 18:54:26 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Tunnel(NAT-T)  Cfg'd: UDP Transport

Dec 29 18:54:26 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Tunnel(NAT-T)  Cfg'd: UDP Transport

Dec 29 18:54:26 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Tunnel(NAT-T)  Cfg'd: UDP Transport

Dec 29 18:54:26 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Tunnel(NAT-T)  Cfg'd: UDP Transport

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, All IPSec SA proposals found unacceptable!

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, QM FSM error (P2 struct &0xcca2f140, mess id 0x374db953)!

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, IKE QM Responder FSM error history (struct &0xcca2f140)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Removing peer from correlator table failed, no match!

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Session is being torn down. Reason: Phase 2 Mismatch

Dec 29 18:54:26 [IKEv1]: Ignoring msg to mark SA with dsID 102400 dead because SA deleted

Dec 29 18:54:26 [IKEv1]: IP = 3.4.249.124, Received encrypted packet with no matching SA, dropping

From the client log:

Cisco Systems VPN Client Version 4.9.01 (0100)

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Mac OS X

Running on: Darwin 10.5.0 Darwin Kernel Version 10.5.0: Fri Nov  5 23:20:39 PDT 2010; root:xnu-1504.9.17~1/RELEASE_I386 i386

365    19:09:13.384  12/29/2010  Sev=Info/4 CM/0x43100002

Begin connection process

366    19:09:13.385  12/29/2010  Sev=Warning/2 CVPND/0x83400011

Error -28 sending packet. Dst Addr: 0xAC10D5FF, Src Addr: 0xAC10D501 (DRVIFACE:1158).

367    19:09:13.385  12/29/2010  Sev=Warning/2 CVPND/0x83400011

Error -28 sending packet. Dst Addr: 0xAC107FFF, Src Addr: 0xAC107F01 (DRVIFACE:1158).

368    19:09:13.385  12/29/2010  Sev=Info/4 CM/0x43100004

Establish secure connection using Ethernet

369    19:09:13.385  12/29/2010  Sev=Info/4 CM/0x43100024

Attempt connection with server "1.2.0.14"

370    19:09:13.385  12/29/2010  Sev=Info/4 CVPND/0x43400019

Privilege Separation: binding to port: (500).

371    19:09:13.387  12/29/2010  Sev=Info/4 CVPND/0x43400019

Privilege Separation: binding to port: (4500).

372    19:09:13.387  12/29/2010  Sev=Info/6 IKE/0x4300003B

Attempting to establish a connection with 1.2.0.14.

373    19:09:13.471  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 1.2.0.14

374    19:09:13.538  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

375    19:09:13.538  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 1.2.0.14

376    19:09:13.538  12/29/2010  Sev=Info/5 IKE/0x43000001

Peer is a Cisco-Unity compliant peer

377    19:09:13.538  12/29/2010  Sev=Info/5 IKE/0x43000001

Peer supports XAUTH

378    19:09:13.539  12/29/2010  Sev=Info/5 IKE/0x43000001

Peer supports DPD

379    19:09:13.539  12/29/2010  Sev=Info/5 IKE/0x43000001

Peer supports NAT-T

380    19:09:13.539  12/29/2010  Sev=Info/5 IKE/0x43000001

Peer supports IKE fragmentation payloads

381    19:09:13.622  12/29/2010  Sev=Info/6 IKE/0x43000001

IOS Vendor ID Contruction successful

382    19:09:13.622  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1.2.0.14

383    19:09:13.623  12/29/2010  Sev=Info/6 IKE/0x43000055

Sent a keepalive on the IPSec SA

384    19:09:13.623  12/29/2010  Sev=Info/4 IKE/0x43000083

IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

385    19:09:13.623  12/29/2010  Sev=Info/5 IKE/0x43000072

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end IS behind a NAT device

386    19:09:13.623  12/29/2010  Sev=Info/4 CM/0x4310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

387    19:09:13.639  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

388    19:09:13.639  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.0.14

389    19:09:13.639  12/29/2010  Sev=Info/4 CM/0x43100015

Launch xAuth application

390    19:09:13.825  12/29/2010  Sev=Info/4 IPSEC/0x43700008

IPSec driver successfully started

391    19:09:13.825  12/29/2010  Sev=Info/4 IPSEC/0x43700014

Deleted all keys

392    19:09:16.465  12/29/2010  Sev=Info/4 CM/0x43100017

xAuth application returned

393    19:09:16.465  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

394    19:09:16.480  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

395    19:09:16.480  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.0.14

396    19:09:16.481  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

397    19:09:16.481  12/29/2010  Sev=Info/4 CM/0x4310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

398    19:09:16.482  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

399    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

400    19:09:16.498  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.0.14

401    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.20.1

402    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

403    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 1.2.2.2

404    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 1.2.2.22

405    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

406    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000003

407    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300000F

SPLIT_NET #1

subnet = 10.10.10.0

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

408    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300000F

SPLIT_NET #2

subnet = 1.2.31.0

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

409    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300000F

SPLIT_NET #3

subnet = 1.2.8.0

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

410    19:09:16.498  12/29/2010  Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

411    19:09:16.499  12/29/2010  Sev=Info/5 IKE/0x4300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.2(2) built by builders on Mon 11-Jan-10 14:19

412    19:09:16.499  12/29/2010  Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

413    19:09:16.499  12/29/2010  Sev=Info/4 CM/0x43100019

Mode Config data received

414    19:09:16.500  12/29/2010  Sev=Info/4 IKE/0x43000056

Received a key request from Driver: Local IP = 192.168.0.103, GW IP = 1.2.0.14, Remote IP = 0.0.0.0

415    19:09:16.500  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 1.2.0.14

416    19:09:16.517  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

417    19:09:16.517  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 1.2.0.14

418    19:09:16.517  12/29/2010  Sev=Info/5 IKE/0x43000045

RESPONDER-LIFETIME notify has value of 86400 seconds

419    19:09:16.517  12/29/2010  Sev=Info/5 IKE/0x43000047

This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

420    19:09:16.518  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

421    19:09:16.518  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 1.2.0.14

422    19:09:16.518  12/29/2010  Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 1.2.0.14

423    19:09:16.518  12/29/2010  Sev=Info/4 IKE/0x43000049

Discarding IPsec SA negotiation, MsgID=FCB95275

424    19:09:16.518  12/29/2010  Sev=Info/4 IKE/0x43000017

Marking IKE SA for deletion  (I_Cookie=4BEBFA4F685D02E9 R_Cookie=6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED

425    19:09:16.520  12/29/2010  Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

426    19:09:16.520  12/29/2010  Sev=Info/4 IKE/0x43000058

Received an ISAKMP message for a non-active SA, I_Cookie=4BEBFA4F685D02E9 R_Cookie=6A6CB439CD58F148

427    19:09:16.520  12/29/2010  Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 1.2.0.14

428    19:09:17.217  12/29/2010  Sev=Info/4 IPSEC/0x43700014

Deleted all keys

429    19:09:19.719  12/29/2010  Sev=Info/4 IKE/0x4300004B

Discarding IKE SA negotiation (I_Cookie=4BEBFA4F685D02E9 R_Cookie=6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED

430    19:09:19.719  12/29/2010  Sev=Info/4 CM/0x43100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

431    19:09:19.719  12/29/2010  Sev=Info/5 CM/0x43100025

Initializing CVPNDrv

432    19:09:19.719  12/29/2010  Sev=Info/4 CVPND/0x4340001F

Privilege Separation: restoring MTU on primary interface.

433    19:09:19.719  12/29/2010  Sev=Info/4 IKE/0x43000001

IKE received signal to terminate VPN connection

434    19:09:20.719  12/29/2010  Sev=Info/4 IPSEC/0x43700014

Deleted all keys

435    19:09:20.719  12/29/2010  Sev=Info/4 IPSEC/0x43700014

Deleted all keys

436    19:09:20.719  12/29/2010  Sev=Info/4 IPSEC/0x43700014

Deleted all keys

437    19:09:20.719  12/29/2010  Sev=Info/4 IPSEC/0x4370000A

IPSec driver successfully stopped

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic