01-07-2014 11:37 AM - edited 02-21-2020 07:25 PM
Hi Everyone,
I am trying to merge two networks, one using an ASA 5510 as its edge device, and the other using a Watchguard XTM 510. For some reason, when a connection is initiated from the Watchguard side, phase 1 complets with MM_ACTIVE, but when the ASA initiates, IKE shows the following status:
IKE Peer: x.x.x.145 (Watchguard Side)
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Regardless, however, even at MM_ACTIVE, phase 1 resets and phase 2 never begins and so a connection is never made. I have collected a debug from both sides and they are as follows
ASA IP: x.x.x.60
Watchguard IP: x.x.x.145
ASA:
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a83f)
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:02 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:02 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=e57925a0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a840)
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:04 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:04 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=6bfb344) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x2f6a841)
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:06 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:06 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=51a5ab4d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:08 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7a82c06c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:08 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:08 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=1ef674ce) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:08 [IKEv1]: Ignoring msg to mark SA with dsID 2019328 dead because SA deleted
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Oakley proposal is acceptable
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received DPD VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Received NAT-Traversal ver 02 VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing IKE SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 5
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ISAKMP SA payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Traversal VID ver 02 payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Fragmentation VID + extended capabilities payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 284
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing ISA_KE payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, processing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing ke payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing nonce payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing Cisco Unity VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing xauth V6 VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send IOS VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing VID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, constructing NAT-Discovery payload
Jan 07 06:51:19 [IKEv1 DEBUG]: IP = x.x.x.145, computing NAT Discovery hash
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Generating keys for Responder...
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing ID payload
Jan 07 06:51:19 [IKEv1 DECODE]: Group = x.x.x.145, IP = x.x.x.145, ID_IPV4_ADDR ID received
x.x.x.145
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, processing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Connection landed on tunnel_group x.x.x.145
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Freeing previously allocated memory for authorization-dn-attributes
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing ID payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing hash payload
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Computing hash for ISAKMP
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing dpd vid payload
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 107
Jan 07 06:51:19 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, PHASE 1 COMPLETED
Jan 07 06:51:19 [IKEv1]: IP = x.x.x.145, Keep-alive type for this connection: DPD
Jan 07 06:51:19 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Starting P1 rekey timer: 64800 seconds.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:23 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:27 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Duplicate Phase 1 packet detected. Retransmitting last packet.
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, P1 Retransmit msg dispatched to MM FSM
Jan 07 06:51:31 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, Responder resending last msg
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f28)
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:32 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:32 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=96f50614) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f29)
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:34 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:34 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f17efc6e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a794f2a)
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:36 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:36 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=a4d9cf11) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 07 06:51:38 [IKEv1]: Group = x.x.x.145, IP = x.x.x.145, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, IKE SA MM:7b9076bf terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, sending delete/delete with reason message
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing blank hash payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing IKE delete payload
Jan 07 06:51:38 [IKEv1 DEBUG]: Group = x.x.x.145, IP = x.x.x.145, constructing qm hash payload
Jan 07 06:51:38 [IKEv1]: IP = x.x.x.145, IKE_DECODE SENDING Message (msgid=f1d3a895) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 07 06:51:38 [IKEv1]: Ignoring msg to mark SA with dsID 2023424 dead because SA deleted
Watchguard:
<158>Jan 7 13:57:11 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCreateIsakmpSA: init vpnDpdSequenceNum = 384341539(Isakmp SA 0x81b26a0)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)MainMode: recv 1st msg pcy [newbury] peer x.x.x.60:500 (Ct=324)
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 started by peer with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloads : Payload(SA) Len(172)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalNtoH : Recv SPI(0x03 0000 0000 0x28) SPI(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_NAT-T_VID(first 4bytes: 0x9180cb90)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)P1__Mode: NAT-T negotiated [newbury] peer 0xd5534a3c:500
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeProposalHtoN : net order spi(0000 0000 0000 0000)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending second message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received third message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(4) Len(196)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(10) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(12)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(130) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_XAUTH06_VID(first 4bytes: 0x89260009)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Sending fourth message with policy [newbury] to x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:16 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:17 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:20 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:21 iked[1976]: unsupported WG notification event - 524293
<158>Jan 7 13:57:24 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:25 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Phase 1 IkeRetryTimeout:: Retrying 1st phase.. (Gateway newbury)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)******** RECV an IKE packet at x.x.x.145:500(socket=11 ifIndex=5) from Peer x.x.x.60:500 ********
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received fifth message with policy [newbury] from x.x.x.60:500 main mode
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : SAState.sState(7)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkePrepareIsakmpKeyMat()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeMMProcessIDMsg : Calling IkeCipherMsg()
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(5) Len(35)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(8) Len(24)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)IkeCheckPayloadsG: Payload(13) Len(20)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Received VID_PAYLOAD - VPN_DPD_VID(first 4bytes: 0x13d7caaf)
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Enable DPD locally
<156>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)WARNING: Mismatched ID settings at peer x.x.x.60:500 caused an authentication failure
<155>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Process 5/6 Msg : failed to process ID payload
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)Cannot process MM ID payload from x.x.x.60:500 to x.x.x.145 cookies i=4114a226 2bd42182 r=40856ef5 71cb0439
<158>Jan 7 13:57:28 iked[1976]: (x.x.x.145<->x.x.x.60)ike_process_pkt : ProcessData returned error (-1)
Any insight you can provide in this regard would be greatly appreciated.
01-09-2014 08:16 AM
The issue was resolved. Watchguard uses both a "Remote Gateway IP", as well as a "Remote Gateway ID." In most cases, these will have the same IPv4 value. However, in this case, the ASA was using an old FQDN as its ID so it was causing a mismatch with the ID configured for that gateway on the Watchguard side. Once, the ID was changed to the FQDN of the ASA, the tunnel came up and started passing traffic.
01-09-2014 09:11 AM
Thanks for letting us know... Never had a Watchguard VPN in my hands, interesting to know...
But you might want to mark this thread a "solved"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide