cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3060
Views
0
Helpful
4
Replies

L2L IKEv1 Tunnel - Phase 1 Failure ASA 5520's IOS 8.2

nathan demers
Beginner
Beginner

I have been struggling with this for the past few days and have made very little headway.  I have both sides configured and they are identical in regards to the tunnel.  It appears that phase 1 is not completing.  I will submit the configs first and then the debug crypto isakmp 127. I used beyond compare to compare the differences between them and everything looks good.  The items in question are in red.  The first mismatch in red seems strange since I have 3 policies and they are identical.  The transport is also identical.  Where is the mismatch?  The What am I doing wrong?

Internal ASA Config

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 host 192.168.5.19

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 host 192.168.5.17

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 host 192.168.5.18

route Outside 0.0.0.0 0.0.0.0 5.5.5.5 1

route Corp 10.0.0.0 255.0.0.0 10.0.3.17 1

route Outside 9.9.9.9 255.255.255.255 5.5.5.5 1

route Outside 192.168.0.0 255.255.240.0 5.5.5.5 1

crypto ipsec transform-set Convention esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP 251 match address Convention-l2l-VPN

crypto map VENDORVPNMAP 251 set peer 9.9.9.9

crypto map VENDORVPNMAP 251 set transform-set Convention

crypto map VENDORVPNMAP 251 set security-association lifetime seconds 3600

crypto map VENDORVPNMAP 251 set security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha    

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l

tunnel-group 9.9.9.9 ipsec-attributes

pre-shared-key *

Remote Site ASA

access-list Convention-l2l-VPN extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip host 192.168.5.19 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip host 192.168.5.17 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip host 192.168.5.18 10.0.0.0 255.0.0.0

route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.9 1

route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.9 1

route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.9 1

route CORP-EVENT 192.168.0.0 255.255.0.0 192.168.0.33 1

crypto ipsec transform-set Convention esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP 251 match address Convention-l2l-VPN

crypto map VENDORVPNMAP 251 set peer 5.5.5.5

crypto map VENDORVPNMAP 251 set transform-set Convention

crypto map VENDORVPNMAP 251 set security-association lifetime seconds 3600

crypto map VENDORVPNMAP 251 set security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP interface XPOS-INET

crypto isakmp enable XPOS-INET

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha    

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 5.5.5.5 type ipsec-l2l

tunnel-group 5.5.5.5 ipsec-attributes

pre-shared-key *****

Debug Crypto Isakmp 127 (from Remote ASA)

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing SA payload

Jan 01 20:38:51 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

Jan 01 20:38:51 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1

Jan 01 20:38:51 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Oakley proposal is acceptable

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received NAT-Traversal ver 02 VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received NAT-Traversal ver 03 VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received NAT-Traversal RFC VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received Fragmentation VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing IKE SA payload

Jan 01 20:38:51 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

Jan 01 20:38:51 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1

Jan 01 20:38:51 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 4

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, constructing ISAKMP SA payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, constructing NAT-Traversal VID ver 02 payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, constructing Fragmentation VID + extended capabilities payload

Jan 01 20:38:51 [IKEv1]: IP = 5.5.5.5, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:38:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:53 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:54 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:55 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:57 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:57 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:59 [IKEv1]: IP = 5.5.5.5, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Jan 01 20:38:59 [IKEv1]: IP = 5.5.5.5, P1 Retransmit msg dispatched to MM FSM

Jan 01 20:38:59 [IKEv1]: IP = 5.5.5.5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:39:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:39:01 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:39:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:39:01 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, P1 Retransmit msg dispatched to MM FSM

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:39:15 [IKEv1]: IP = 5.5.5.5, Duplicate Phase 1 packet detected.  Retransmitting last packet.

Jan 01 20:39:15 [IKEv1]: IP = 5.5.5.5, P1 Retransmit msg dispatched to MM FSM

Jan 01 20:39:15 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE MM Responder FSM error history (struct &0xac4ff070)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent

Jan 01 20:39:15 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE SA MM:2d039532 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Jan 01 20:39:15 [IKEv1 DEBUG]: IP = 5.5.5.5, sending delete/delete with reason message


4 Replies 4

nathan demers
Beginner
Beginner

Additional note:

This line is inaccurate:

     crypto ipsec transform-set Convention esp-aes esp-sha-hmac

Correct line for both FWs

     crypto ipsec transform-set Convention esp-aes-256 esp-sha-hmac

nathan demers
Beginner
Beginner

Any thoughts?

nathan demers
Beginner
Beginner

For everyone elses information the tunnel information is correct but the routes were incorrect.

my default gateway was bad.

route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.9 1

route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.9 1

route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.9 1

I was using the outside interface and I needed to send it to the default gateway of the OUTSIDE interface not the interface itself.  So in theory it would be

route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.1 1

route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.1 1

route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.1 1

Hope this helps others.

Hi

 

Were you able to solve this?may i know how?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers