Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
5
Helpful
11
Replies

ASA always negotiating DH5

kiranoddiraju
Level 1
Level 1

‎10-18-2022 02:17 AM

Hello,

I'm having trouble with a VPN tunnel. I need the ASA to negotiate DH14 but it appears to be offering only DH5. I have configured both Phase-1 and Phase-2 with DH14. Any ideas what I'm missing here?

Phase 1 – IKEv1 Properties
ISAKMP SA Authentication Method: Pre-Shared Key
ISAKMP Pre-Shared Key: XXXXX
ISAKMP SA Hash Algorithm: SHA1
ISAKMP SA Encryption Algorithm: AES-256
ISAKMP SA Diffie-Hellman Group: DH14
ISAKMP SA Lifetime: 86400 seconds

Phase 2 – IPSec Properties
IPSec SA – IPSec Protocol: ESP
IPSec SA – Mode: Tunnel
IPSec SA – Hash Algorithm: SHA-1
IPSec SA – Encryption Algorithm: AES-256
IPSec SA – Lifetime: 3600 seconds
PFS : Yes
DH: DH14
Mode: Main Mode

%ASA-7-713906: IKE Receiver: Packet received on 11.11.11.11:500 from 10.10.10.10:500
%ASA-7-713236: IP = 10.10.10.10, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
%ASA-7-715047: IP = 10.10.10.10, processing SA payload
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 14 Cfg'd: Group 5
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 14 Cfg'd: Group 5
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 14 Cfg'd: Group 5
%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 14 Cfg'd: Group 5
%ASA-7-713236: IP = 10.10.10.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 108
%ASA-7-713906: IP = 10.10.10.10, All SA proposals found unacceptable
%ASA-3-713048: IP = 10.10.10.10, Error processing payload: Payload ID: 1
%ASA-7-715065: IP = 10.10.10.10, IKE MM Responder FSM error history (struct &0x00007f2a88c1fb00) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
%ASA-7-713906: IP = 10.10.10.10, IKE SA MM:e13a60eb terminating: flags 0x01000002, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 10.10.10.10, sending delete/delete with reason message

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set pfs group14
crypto map outside_map 50 set peer 10.10.10.10
crypto map outside_map 50 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 50 set security-association lifetime seconds 3600
crypto map outside_map 50 set security-association lifetime kilobytes unlimited

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400

 

Labels:
0 Helpful
11 Replies 11

Rob Ingram
VIP
VIP

‎10-18-2022 02:26 AM - edited ‎10-18-2022 02:27 AM

@kiranoddiraju what is the exact IKE policy configuration on the peer side? Provide the configuration if possible or the full debug from your side

0 Helpful

kiranoddiraju
Level 1
Level 1
In response to Rob Ingram

‎10-18-2022 02:32 AM

Hey Rob, 

I have confirmed with the Remote end engineer the IKE policy is same as what is configured at my end. I can provide the full debug on my firewall in couple of hours.

0 Helpful

Rob Ingram
VIP
VIP
In response to kiranoddiraju

‎10-18-2022 02:35 AM

@kiranoddiraju ok. If you can take a packet capture and send me the capture, I can have a look in wireshark - feel free to send in PM if you don't want to upload this publically.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-18-2022 02:27 AM 

%ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 14 Cfg'd: Group 5

what ASA code running, and what device other side ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kiranoddiraju
Level 1
Level 1
In response to balaji.bandi

‎10-18-2022 02:35 AM

Hi Balaji,

Firmware version 9.16(3) on the ASA and the remote end is a Juniper firewall.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to kiranoddiraju

‎10-18-2022 02:38 AM

Question here is Does the Juniper side support DH14

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

kiranoddiraju
Level 1
Level 1
In response to balaji.bandi

‎10-18-2022 02:42 AM

Yes, the remote end engineer confirmed they have many VPN Tunnel's configured on the Juniper with DH14 as a default.

0 Helpful

kiranoddiraju
Level 1
Level 1

‎10-19-2022 09:36 AM

We changed the tunnel protocol from IKEv1 to IKEv2 at both ends and it the tunnel came up fine. Really surprised switching the protocol to IKEv2 has helped to resolve the vpn issue. 

MHM Cisco World
VIP
VIP
In response to kiranoddiraju

‎10-19-2022 09:53 AM

thanks for sharing solution 
and Yes DH depended on IKE, some device use different DH group for each IKE version.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kiranoddiraju

‎10-19-2022 10:09 AM

If you had pfs configured without any attributes it would have tried DH group 5 for that aspect of the connection and result in the observed error.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to kiranoddiraju

‎10-19-2022 12:18 PM

Sure IKEV2 is required. glad all good.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents