04-04-2017 08:55 AM
Hi there,
we are trying to build a VPN tunnel to a supplier who is using an NSX Edge device and we are failing to get past Phase 1. The ASA is complaining re: no matching SA at phase 1 The ASA is a 5510 running 9.1(7)6 and we have also tried on code 9.1(7)9, both exhibit the same issue, below is a redacted debug showing the attempted connection
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 1d b9 57 10 61 b3 87 0b
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 220
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 0
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 0
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 70 80
Encryption Algorithm: AES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Group Description: Group 5
Key Length: 128
---- CUT
Apr 04 16:19:27 [IKEv1 DEBUG]IP = x.x.x.x, All SA proposals found unacceptable
Apr 04 16:19:27 [IKEv1]IP = x.x.x.x, Error processing payload: Payload ID: 1
Apr 04 16:19:27 [IKEv1 DEBUG]IP = x.x.x.x, IKE MM Responder FSM error history (struct &0xaeab2150) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 16:19:27 [IKEv1 DEBUG]IP = 185.156.16.81, IKE SA MM:28e10ddb terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 04 16:19:27 [IKEv1 DEBUG]IP = 185.156.16.81, sending delete/delete with reason message
---- CUT
We have a matching policy as per config below applied to the inbound interface, this is the only ike policy on ASA
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
If we add another ike policy then the log error messages show below, where the new policy is configured the same as the one above but with DH Group 2...
Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
additional config
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
can anyone shed some light on this?
we have reset PSK and reloaded ASA but the problem remains.
Thanks
Ryan
01-11-2018 09:02 AM
If anyone still facing the issue the solution is set DH group 2 in phase 1 and set PFS with DH group 2 in phase 2.
04-15-2019 02:46 AM - edited 04-15-2019 02:55 AM
In Cisco ASA use the following command as the hostname
Cisco-ASA #(config)crypto isakmp identity hostname
In NSX Manager put the hostname of Cisco ASA on Peer ID field.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide