cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15554
Views
5
Helpful
12
Replies

IPsec Phase 1 error between ASA & Cisco 870

ggl277808
Level 1
Level 1

Hi Team,

I'm trying to set up a Site to Site VPN between ASA 5520 & Cisco 870.

This the error on ASA:
================================================

May 16 2018 15:03:35: %ASA-7-713236: IP = xxx.xx.x.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 164
May 16 2018 15:03:35: %ASA-7-715047: IP = xxx.xx.x.xxx, processing SA payload
May 16 2018 15:03:35: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
May 16 2018 15:03:35: %ASA-7-713906: IP = xxx.xx.x.xxx, Oakley proposal is acceptable
May 16 2018 15:03:35: %ASA-7-715047: IP = xxx.xx.x.xxx, processing VID payload
May 16 2018 15:03:35: %ASA-7-715049: IP = xxx.xx.x.xxx, Received NAT-Traversal RFC VID
May 16 2018 15:03:35: %ASA-7-715047: IP = xxx.xx.x.xxx, processing VID payload
May 16 2018 15:03:35: %ASA-7-715047: IP = xxx.xx.x.xxx, processing VID payload
May 16 2018 15:03:35: %ASA-7-715049: IP = xxx.xx.x.xxx, Received NAT-Traversal ver 03 VID
May 16 2018 15:03:35: %ASA-7-715047: IP = xxx.xx.x.xxx, processing VID payload
May 16 2018 15:03:35: %ASA-7-715049: IP = xxx.xx.x.xxx, Received NAT-Traversal ver 02 VID
May 16 2018 15:03:35: %ASA-7-715047: IP = xxx.xx.x.xxx, processing IKE SA payload
May 16 2018 15:03:35: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
May 16 2018 15:03:35: %ASA-7-715028: IP = xxx.xx.x.xxx, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
May 16 2018 15:03:35: %ASA-7-715046: IP = xxx.xx.x.xxx, constructing ISAKMP SA payload
May 16 2018 15:03:35: %ASA-7-715046: IP = xxx.xx.x.xxx, constructing Fragmentation VID + extended capabilities payload
May 16 2018 15:03:35: %ASA-7-713236: IP = xxx.xx.x.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
May 16 2018 15:03:43: %ASA-7-713236: IP = xxx.xx.x.xxx, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

==========================================================

The config in Cisco 870 Router
=======================

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
!
no aaa new-model
clock timezone CEST 1
!
crypto pki trustpoint TP-self-signed-3497113466
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3497113466
revocation-check none
rsakeypair TP-self-signed-3497113466
!
!
crypto pki certificate chain TP-self-signed-3497113466
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343937 31313334 3636301E 170D3032 30333031 30303038
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34393731
31333436 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B49F 96F96213 E3135431 621E1AF1 8ABE9C20 9D96838A AA7870EE 88776DD5
6710DAD1 B5878AA0 4C2BABF1 409606FD 73DCF2C2 EB3626FF E69499EB 75509E96
9BBCB5DF 3D393CB5 B346830B A0885707 100DED00 61E9FFFB 97F1B7E7 E444E962
437FAF9B 12C9F36E 3E02289A 9997E241 107BD9DE 1F400062 E78EA9A9 227E5440
40190203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14A6E8A3 42349C3D B4DB2FA6 6A4A53F8 43EAF918
97301D06 03551D0E 04160414 A6E8A342 349C3DB4 DB2FA66A 4A53F843 EAF91897
300D0609 2A864886 F70D0101 04050003 81810005 536BED2E 17E8DEDA 6797509D
CBEA6DCE 64F13B4D 5582E58D 5FDABFBF D11A8D68 F5B4BC51 45AC1483 DB34B644
2F72DE2E EE1A1398 9044D143 895AE56F 3CBA3FF6 543E8B26 FBA64BE2 82BF542D
FA7F78B4 DB35A456 77CF8929 BC0C2106 64317A6E A904BAEF 791A4717 C697663F
7EC5428B 3DD063B7 744D1A54 AAF2DD5C C27688
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.20.72.1 172.20.72.10
ip dhcp excluded-address 172.20.72.240 172.20.72.254
!
ip dhcp pool sdm-pool
import all
network 172.20.72.0 255.255.255.0
default-router 172.20.72.1
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
username admin privilege 15 secret 5 $1$sykE$SXhpvEgX0pzawA9pJgsy//
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 28800
crypto isakmp key 7pnPG0Urb6n6 address XX.YY.XYZ.ZYX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel Site to Site
set peer XX.YY.XYZ.ZYX

set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group5
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
pvc 8/32
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.20.72.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname adslppp@telefonicanetpa
ppp chap password 0 adslppp
ppp pap sent-username adslppp@telefonicanetpa password 0 adslppp
crypto map SDM_CMAP_1
!
interface Dialer0
mtu 1492
no ip address
no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 2 remark INSIDE_IF=Vlan1
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.20.72.0 0.0.0.255
access-list 100 permit ip 172.20.72.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 100 permit ip 172.20.72.0 0.0.0.255 172.20.20.0 0.0.0.255
access-list 100 permit ip 172.20.72.0 0.0.0.255 172.20.100.0 0.0.0.255
access-list 101 deny ip 172.20.72.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 permit ip 172.20.72.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

===================

Any advice?

 

Thanks in advance

 

1 Accepted Solution

Accepted Solutions

Just as RJI mentioned, Your phase 1 is mismatched,  would create new one (another one) on the ASA that matches the 870's

View solution in original post

12 Replies 12

Hulk8647
Level 1
Level 1

can you provide the "show run" of the ASA?

I think Hulk8647 meant the "show run" from the ASA ;)

 

Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

 

Ultimately the issue on the Router is that you have configured group 5 and the error message indicates the ASA isakmp policy is configured to use group 2. You need these to match, group 5 is more secure than group 2. However group 14/15 is the recommended minimum

 

crypto isakmp policy 1
encr aes
authentication pre-share
group 5

yes, sorry, I corrected it a bit too late

Hi Hulk8647,

 

Find Attached the ASA config

Just as RJI mentioned, Your phase 1 is mismatched,  would create new one (another one) on the ASA that matches the 870's

Hi RJI,

 

I've check this by change in Router Size and the error mismatch then show as follow:


Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

 

Thanks for the help.

Hi,

 

From the ASA config that I've sent to you I extract the following:

 

crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 25
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

 

That's all Ikev1 phases configured in ASA

Hmm ok, looks like there should be a match:

 

ASA
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

ROUTER
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 28800

 

Lifetimes are different, but they should match on the lowest value. Router isakmp policy doesn't reflect hash, but thats because it's default (sha).

 

Perhaps modify the existing isakmp policy on both devices, using different encryption, hashing, group values. See if it will match on those.

 

e.g

encryption aes 256

hashing sha256

group 14

 

Do this on both devices, and turn on debugging again, see if it can match.

Hi RJI,

 

I've changed the encr aes 256 but the group only let me chose between:

 

yourname(config-isakmp)#group ?
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5

yourname(config-isakmp)#group

 

So based on the Ikev1 policy in ASA I configured Group 2, and the result is the same.

 

Thank you guys

 

You must have really old firmware!

Please can upload the output of "show crypto isakmp policy" on the router?

Can you initiate the tunnel a capture as much of the output as possible and upload in a text file, so we can look through it.

I would try creating another new policy on the ASA

crypto ikev1 policy 3
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Then, clear your phase 1 on both devices and try again with debugs

I've been busy these days, so retaking this issue that doing a debug on the ASA side I can see the connection stuck in this state:

MM_WAIT_MSG3

Researching a little I found these possible causes:

 

MM_WAIT_MSG3

The Phase 1 Policies have been agreed with both peers, the responder is waiting for the initiator to send it its keying information. Two things could cause this:

1. Different Vendors equipment talking the the ASA, or simply the version of OS on the ASA have been different.

2. There is a comms error, check there’s no router with firewall capabilities in the link.

 

For now I'll try to upgrade the firmware and check if the problem is solve.

 

Thanks to everyone

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: