we are trying to build a VPN tunnel to a supplier who is using an NSX Edge device and we are failing to get past Phase 1. The ASA is complaining re: no matching SA at phase 1 The ASA is a 5510 running 9.1(7)6 and we have also tried on code 9.1(7)9, both exhibit the same issue, below is a redacted debug showing the attempted connection
RECV PACKET from x.x.x.x
Initiator COOKIE: 1d b9 57 10 61 b3 87 0b
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Exchange Type: Identity Protection (Main Mode)
Payload Security Association
Next Payload: Vendor ID
Payload Length: 56
Next Payload: None
Payload Length: 44
Proposal #: 0
SPI Size: 0
# of transforms: 1
Next Payload: None
Payload Length: 36
Transform #: 0
Life Type: seconds
Life Duration (Hex): 70 80
Encryption Algorithm: AES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Group Description: Group 5
Key Length: 128
Apr 04 16:19:27 [IKEv1 DEBUG]IP = x.x.x.x, All SA proposals found unacceptable
Apr 04 16:19:27 [IKEv1]IP = x.x.x.x, Error processing payload: Payload ID: 1
Apr 04 16:19:27 [IKEv1 DEBUG]IP = x.x.x.x, IKE MM Responder FSM error history (struct &0xaeab2150) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 16:19:27 [IKEv1 DEBUG]IP = 188.8.131.52, IKE SA MM:28e10ddb terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 04 16:19:27 [IKEv1 DEBUG]IP = 184.108.40.206, sending delete/delete with reason message
We have a matching policy as per config below applied to the inbound interface, this is the only ike policy on ASA
crypto ikev1 policy 10
If we add another ike policy then the log error messages show below, where the new policy is configured the same as the one above but with DH Group 2...
Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
crypto ikev1 policy 20
can anyone shed some light on this?
we have reset PSK and reloaded ASA but the problem remains.
If anyone still facing the issue the solution is set DH group 2 in phase 1 and set PFS with DH group 2 in phase 2.
In Cisco ASA use the following command as the hostname
Cisco-ASA #(config)crypto isakmp identity hostname
In NSX Manager put the hostname of Cisco ASA on Peer ID field.