Solved: ASA 8.2 ipsec ike phase2 failure

3moloz123 · ‎12-29-2010

I used the wizard for remote access vpn, IPSEC, on a ASA 5510 security+ running os version 8.2.

Group: adminsbbs

User: adminuser

While connecting using the client, it says "securing communications..", then it blinks and it's disconnected. Hoping that the following debug output will help you help me, so I don't have to grab config.

What seem to be the cause for IKE phase 2 failure?

From the ASA device:

asa01# Dec 29 18:54:16 [IKEv1 DEBUG]: IP = 3.4.249.124, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Dec 29 18:54:16 [IKEv1]: IP = 3.4.249.124, Connection landed on tunnel_group adminsbbs

Dec 29 18:54:16 [IKEv1 DEBUG]: Group = adminsbbs, IP = 3.4.249.124, IKE SA Proposal # 1, Transform # 10 acceptable Matches global IKE entry # 1

Dec 29 18:54:16 [IKEv1]: Group = adminsbbs, IP = 3.4.249.124, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, User (adminuser) authenticated.

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Received unsupported transaction mode attribute: 5

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Client Type: Mac OS X Client Application Version: 4.9.01 (0100)

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Assigned private IP address 172.16.20.1 to remote user

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, PHASE 1 COMPLETED

Dec 29 18:54:26 [IKEv1]: IP = 3.4.249.124, Keep-alive type for this connection: DPD

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Starting P1 rekey timer: 82080 seconds.

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Received remote Proxy Host data in ID Payload: Address 172.16.20.1, Protocol 0, Port 0

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, QM IsRekeyed old sa not found by addr

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, IKE Remote Peer configured for crypto map: outside_dyn_map

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, processing IPSec SA payload

Dec 29 18:54:26 [IKEv1]: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Tunnel(NAT-T) Cfg'd: UDP Transport

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, All IPSec SA proposals found unacceptable!

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, QM FSM error (P2 struct &0xcca2f140, mess id 0x374db953)!

Dec 29 18:54:26 [IKEv1 DEBUG]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, IKE QM Responder FSM error history (struct &0xcca2f140) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Removing peer from correlator table failed, no match!

Dec 29 18:54:26 [IKEv1]: Group = adminsbbs, Username = adminuser, IP = 3.4.249.124, Session is being torn down. Reason: Phase 2 Mismatch

Dec 29 18:54:26 [IKEv1]: Ignoring msg to mark SA with dsID 102400 dead because SA deleted

Dec 29 18:54:26 [IKEv1]: IP = 3.4.249.124, Received encrypted packet with no matching SA, dropping

From the client log:

Cisco Systems VPN Client Version 4.9.01 (0100)

Client Type(s): Mac OS X

Running on: Darwin 10.5.0 Darwin Kernel Version 10.5.0: Fri Nov 5 23:20:39 PDT 2010; root:xnu-1504.9.17~1/RELEASE_I386 i386

365 19:09:13.384 12/29/2010 Sev=Info/4 CM/0x43100002

Begin connection process

366 19:09:13.385 12/29/2010 Sev=Warning/2 CVPND/0x83400011

Error -28 sending packet. Dst Addr: 0xAC10D5FF, Src Addr: 0xAC10D501 (DRVIFACE:1158).

367 19:09:13.385 12/29/2010 Sev=Warning/2 CVPND/0x83400011

Error -28 sending packet. Dst Addr: 0xAC107FFF, Src Addr: 0xAC107F01 (DRVIFACE:1158).

368 19:09:13.385 12/29/2010 Sev=Info/4 CM/0x43100004

Establish secure connection using Ethernet

369 19:09:13.385 12/29/2010 Sev=Info/4 CM/0x43100024

Attempt connection with server "1.2.0.14"

370 19:09:13.385 12/29/2010 Sev=Info/4 CVPND/0x43400019

Privilege Separation: binding to port: (500).

371 19:09:13.387 12/29/2010 Sev=Info/4 CVPND/0x43400019

Privilege Separation: binding to port: (4500).

372 19:09:13.387 12/29/2010 Sev=Info/6 IKE/0x4300003B

Attempting to establish a connection with 1.2.0.14.

373 19:09:13.471 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 1.2.0.14

374 19:09:13.538 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

375 19:09:13.538 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 1.2.0.14

376 19:09:13.538 12/29/2010 Sev=Info/5 IKE/0x43000001

Peer is a Cisco-Unity compliant peer

377 19:09:13.538 12/29/2010 Sev=Info/5 IKE/0x43000001

Peer supports XAUTH

378 19:09:13.539 12/29/2010 Sev=Info/5 IKE/0x43000001

Peer supports DPD

379 19:09:13.539 12/29/2010 Sev=Info/5 IKE/0x43000001

Peer supports NAT-T

380 19:09:13.539 12/29/2010 Sev=Info/5 IKE/0x43000001

Peer supports IKE fragmentation payloads

381 19:09:13.622 12/29/2010 Sev=Info/6 IKE/0x43000001

IOS Vendor ID Contruction successful

382 19:09:13.622 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1.2.0.14

383 19:09:13.623 12/29/2010 Sev=Info/6 IKE/0x43000055

Sent a keepalive on the IPSec SA

384 19:09:13.623 12/29/2010 Sev=Info/4 IKE/0x43000083

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

385 19:09:13.623 12/29/2010 Sev=Info/5 IKE/0x43000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end IS behind a NAT device

386 19:09:13.623 12/29/2010 Sev=Info/4 CM/0x4310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

387 19:09:13.639 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

388 19:09:13.639 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.0.14

389 19:09:13.639 12/29/2010 Sev=Info/4 CM/0x43100015

Launch xAuth application

390 19:09:13.825 12/29/2010 Sev=Info/4 IPSEC/0x43700008

IPSec driver successfully started

391 19:09:13.825 12/29/2010 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

392 19:09:16.465 12/29/2010 Sev=Info/4 CM/0x43100017

xAuth application returned

393 19:09:16.465 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

394 19:09:16.480 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

395 19:09:16.480 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.0.14

396 19:09:16.481 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

397 19:09:16.481 12/29/2010 Sev=Info/4 CM/0x4310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

398 19:09:16.482 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

399 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

400 19:09:16.498 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.0.14

401 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.20.1

402 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

403 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 1.2.2.2

404 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x43000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 1.2.2.22

405 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

406 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000003

407 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300000F

SPLIT_NET #1

subnet = 10.10.10.0

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

408 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300000F

SPLIT_NET #2

subnet = 1.2.31.0

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

409 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300000F

SPLIT_NET #3

subnet = 1.2.8.0

mask = 255.255.255.0

protocol = 0

src port = 0

dest port=0

410 19:09:16.498 12/29/2010 Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

411 19:09:16.499 12/29/2010 Sev=Info/5 IKE/0x4300000E

MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 8.2(2) built by builders on Mon 11-Jan-10 14:19

412 19:09:16.499 12/29/2010 Sev=Info/5 IKE/0x4300000D

MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

413 19:09:16.499 12/29/2010 Sev=Info/4 CM/0x43100019

Mode Config data received

414 19:09:16.500 12/29/2010 Sev=Info/4 IKE/0x43000056

Received a key request from Driver: Local IP = 192.168.0.103, GW IP = 1.2.0.14, Remote IP = 0.0.0.0

415 19:09:16.500 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 1.2.0.14

416 19:09:16.517 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

417 19:09:16.517 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 1.2.0.14

418 19:09:16.517 12/29/2010 Sev=Info/5 IKE/0x43000045

RESPONDER-LIFETIME notify has value of 86400 seconds

419 19:09:16.517 12/29/2010 Sev=Info/5 IKE/0x43000047

This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

420 19:09:16.518 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

421 19:09:16.518 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 1.2.0.14

422 19:09:16.518 12/29/2010 Sev=Info/4 IKE/0x43000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 1.2.0.14

423 19:09:16.518 12/29/2010 Sev=Info/4 IKE/0x43000049

Discarding IPsec SA negotiation, MsgID=FCB95275

424 19:09:16.518 12/29/2010 Sev=Info/4 IKE/0x43000017

Marking IKE SA for deletion (I_Cookie=4BEBFA4F685D02E9 R_Cookie=6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED

425 19:09:16.520 12/29/2010 Sev=Info/5 IKE/0x4300002F

Received ISAKMP packet: peer = 1.2.0.14

426 19:09:16.520 12/29/2010 Sev=Info/4 IKE/0x43000058

Received an ISAKMP message for a non-active SA, I_Cookie=4BEBFA4F685D02E9 R_Cookie=6A6CB439CD58F148

427 19:09:16.520 12/29/2010 Sev=Info/4 IKE/0x43000014

RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 1.2.0.14

428 19:09:17.217 12/29/2010 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

429 19:09:19.719 12/29/2010 Sev=Info/4 IKE/0x4300004B

Discarding IKE SA negotiation (I_Cookie=4BEBFA4F685D02E9 R_Cookie=6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED

430 19:09:19.719 12/29/2010 Sev=Info/4 CM/0x43100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

431 19:09:19.719 12/29/2010 Sev=Info/5 CM/0x43100025

Initializing CVPNDrv

432 19:09:19.719 12/29/2010 Sev=Info/4 CVPND/0x4340001F

Privilege Separation: restoring MTU on primary interface.

433 19:09:19.719 12/29/2010 Sev=Info/4 IKE/0x43000001

IKE received signal to terminate VPN connection

434 19:09:20.719 12/29/2010 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

435 19:09:20.719 12/29/2010 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

436 19:09:20.719 12/29/2010 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

437 19:09:20.719 12/29/2010 Sev=Info/4 IPSEC/0x4370000A

IPSec driver successfully stopped

Craig Lorentzen · ‎12-29-2010

Hello 3moloz123,

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

1. The reason that the Remote Access (RA) VPN was unable to form successfully before the change from TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is that transport mode is not supported for RA VPN. You must use Tunnel mode for the IPSec Transform set as we need to maintain the inside IP header so that once the packet is decapsulated and decrypted at the IPSec head end we can forward the packet.

From the logs you can see this failure

Dec 29 18:54:26 [IKEv1]: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Tunnel(NAT-T) Cfg'd: UDP Transport

repeats 4x

Rcv'd is the transform set sent by the RA Client. Cfg'd is what the dynamic crypto map supports.

2. The isakmp policy change was unnecessary, the Phase 1 session came up fine indicating ISAKMP worked. Phase 2 only starts after a successful Phase 1 (ISAKMP session).

After failing to build Phase 2 (the child SA) we drop the ISAKMP SA as well since it isn't being used.

I hope that answers your questions.

Regards,
Craig

View solution in original post

3moloz123 · ‎12-29-2010

What I think is the only relevant config:

access-list wan_cryptomap_20.20 extended deny ip any any

access-list adminsbbs_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list adminsbbs_splitTunnelAcl standard permit 1.2.31.0 255.255.255.0

access-list adminsbbs_splitTunnelAcl standard permit 1.2.8.0 255.255.255.0

ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface wan

crypto ca trustpoint ASDM_TrustPoint0

fqdn asa01

subject-name CN=asa01

no client-types

crl configure

crypto isakmp enable wan

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy adminsbbs internal

group-policy adminsbbs attributes

dns-server value 1.2.2.2 1.2.2.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value adminsbbs_splitTunnelAcl

username adminuser password RS9sv encrypted privilege 15

username adminuser attributes

vpn-group-policy adminsbbs

tunnel-group adminsbbs type remote-access

tunnel-group adminsbbs general-attributes

address-pool sslpool2

default-group-policy adminsbbs

tunnel-group adminsbbs ipsec-attributes

pre-shared-key *****

!

3moloz123 · ‎12-29-2010

It seem to work now. I compared the config to another ASA I had setup earlier, and I found two differences.

On this problematic one, I had:

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto isakmp policy 10
 hash md5

While on the working one:

crypto dynamic-map outside_dyn_map 20 set transform-set ESP_3DES_MD5

crypto isakmp policy 10
 hash sha

Would be great if someone could explain why it differs, and why the TRANS_ESP_3DES_MD5 plus the 'hash md5' did not work :-).

Craig Lorentzen · ‎12-29-2010

Hello 3moloz123,

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

1. The reason that the Remote Access (RA) VPN was unable to form successfully before the change from TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is that transport mode is not supported for RA VPN. You must use Tunnel mode for the IPSec Transform set as we need to maintain the inside IP header so that once the packet is decapsulated and decrypted at the IPSec head end we can forward the packet.

From the logs you can see this failure

Dec 29 18:54:26 [IKEv1]: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Tunnel(NAT-T) Cfg'd: UDP Transport

repeats 4x

Rcv'd is the transform set sent by the RA Client. Cfg'd is what the dynamic crypto map supports.

2. The isakmp policy change was unnecessary, the Phase 1 session came up fine indicating ISAKMP worked. Phase 2 only starts after a successful Phase 1 (ISAKMP session).

After failing to build Phase 2 (the child SA) we drop the ISAKMP SA as well since it isn't being used.

I hope that answers your questions.

Regards,
Craig