Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3455
Views
0
Helpful
2
Replies

Site to Site VPN Tunnel Issue Cisco ASA and vmWare NSX Edge

RyanJohnstone
Level 1
Level 1

‎04-04-2017 08:55 AM

Hi there,

we are trying to build a VPN tunnel to a supplier who is using an NSX Edge device and we are failing to get past Phase 1.  The ASA is complaining re: no matching SA at phase 1  The ASA is a 5510 running 9.1(7)6 and we have also tried on code 9.1(7)9, both exhibit the same issue, below is a redacted debug showing the attempted connection

 RECV PACKET from x.x.x.x
ISAKMP Header
  Initiator COOKIE: 1d b9 57 10 61 b3 87 0b
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 220
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 56
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 44
      Proposal #: 0
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 0
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Life Type: seconds
        Life Duration (Hex): 70 80
        Encryption Algorithm: AES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Group Description: Group 5
        Key Length: 128

---- CUT

Apr 04 16:19:27 [IKEv1 DEBUG]IP = x.x.x.x, All SA proposals found unacceptable
Apr 04 16:19:27 [IKEv1]IP = x.x.x.x, Error processing payload: Payload ID: 1
Apr 04 16:19:27 [IKEv1 DEBUG]IP = x.x.x.x, IKE MM Responder FSM error history (struct &0xaeab2150)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Apr 04 16:19:27 [IKEv1 DEBUG]IP = 185.156.16.81, IKE SA MM:28e10ddb terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Apr 04 16:19:27 [IKEv1 DEBUG]IP = 185.156.16.81, sending delete/delete with reason message

---- CUT

We have a matching policy as per config below applied to the inbound interface, this is the only ike policy on ASA

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

If we add another ike policy then the log error messages show below, where the new policy is configured the same as the one above but with DH Group 2...

Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

additional config

crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

can anyone shed some light on this?

we have reset PSK and reloaded ASA but the problem remains.

Thanks

Ryan

1 person had this problem
Labels:
0 Helpful
2 Replies 2

prafful01
Level 1
Level 1

‎01-11-2018 09:02 AM

If anyone still facing the issue the solution is set DH group 2 in phase 1 and set PFS with DH group 2 in phase 2.

0 Helpful

mnoman
Cisco Employee
Cisco Employee

‎04-15-2019 02:46 AM - edited ‎04-15-2019 02:55 AM

In Cisco ASA use the following command as the hostname 

Cisco-ASA #(config)crypto isakmp identity hostname

In NSX Manager put the hostname of Cisco ASA  on Peer ID field.

0 Helpful
Customers Also Viewed These Support Documents