L2L IKEv1 Tunnel - Phase 1 Failure ASA 5520's IOS 8.2

nathan demers · ‎08-27-2013

I have been struggling with this for the past few days and have made very little headway. I have both sides configured and they are identical in regards to the tunnel. It appears that phase 1 is not completing. I will submit the configs first and then the debug crypto isakmp 127. I used beyond compare to compare the differences between them and everything looks good. The items in question are in red. The first mismatch in red seems strange since I have 3 policies and they are identical. The transport is also identical. Where is the mismatch? The What am I doing wrong?

Internal ASA Config

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 host 192.168.5.19

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 host 192.168.5.17

access-list Convention-l2l-VPN extended permit ip 10.0.0.0 255.0.0.0 host 192.168.5.18

route Outside 0.0.0.0 0.0.0.0 5.5.5.5 1

route Corp 10.0.0.0 255.0.0.0 10.0.3.17 1

route Outside 9.9.9.9 255.255.255.255 5.5.5.5 1

route Outside 192.168.0.0 255.255.240.0 5.5.5.5 1

crypto ipsec transform-set Convention esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP 251 match address Convention-l2l-VPN

crypto map VENDORVPNMAP 251 set peer 9.9.9.9

crypto map VENDORVPNMAP 251 set transform-set Convention

crypto map VENDORVPNMAP 251 set security-association lifetime seconds 3600

crypto map VENDORVPNMAP 251 set security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 9.9.9.9 type ipsec-l2l

tunnel-group 9.9.9.9 ipsec-attributes

pre-shared-key *

Remote Site ASA

access-list Convention-l2l-VPN extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip host 192.168.5.19 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip host 192.168.5.17 10.0.0.0 255.0.0.0

access-list Convention-l2l-VPN extended permit ip host 192.168.5.18 10.0.0.0 255.0.0.0

route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.9 1

route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.9 1

route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.9 1

route CORP-EVENT 192.168.0.0 255.255.0.0 192.168.0.33 1

crypto ipsec transform-set Convention esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP 251 match address Convention-l2l-VPN

crypto map VENDORVPNMAP 251 set peer 5.5.5.5

crypto map VENDORVPNMAP 251 set transform-set Convention

crypto map VENDORVPNMAP 251 set security-association lifetime seconds 3600

crypto map VENDORVPNMAP 251 set security-association lifetime kilobytes 4608000

crypto map VENDORVPNMAP interface XPOS-INET

crypto isakmp enable XPOS-INET

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 5.5.5.5 type ipsec-l2l

tunnel-group 5.5.5.5 ipsec-attributes

pre-shared-key *****

Debug Crypto Isakmp 127 (from Remote ASA)

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing SA payload

Jan 01 20:38:51 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

Jan 01 20:38:51 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Oakley proposal is acceptable

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received NAT-Traversal ver 02 VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received NAT-Traversal ver 03 VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received NAT-Traversal RFC VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing VID payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, Received Fragmentation VID

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, processing IKE SA payload

Jan 01 20:38:51 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

Jan 01 20:38:51 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, constructing ISAKMP SA payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, constructing NAT-Traversal VID ver 02 payload

Jan 01 20:38:51 [IKEv1 DEBUG]: IP = 5.5.5.5, constructing Fragmentation VID + extended capabilities payload

Jan 01 20:38:51 [IKEv1]: IP = 5.5.5.5, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:38:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:53 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:54 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:55 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:55 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:57 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:38:57 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:38:59 [IKEv1]: IP = 5.5.5.5, Duplicate Phase 1 packet detected. Retransmitting last packet.

Jan 01 20:38:59 [IKEv1]: IP = 5.5.5.5, P1 Retransmit msg dispatched to MM FSM

Jan 01 20:38:59 [IKEv1]: IP = 5.5.5.5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:39:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:39:01 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:39:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jan 01 20:39:01 [IKEv1]: IP = 5.5.5.5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, Duplicate Phase 1 packet detected. Retransmitting last packet.

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, P1 Retransmit msg dispatched to MM FSM

Jan 01 20:39:07 [IKEv1]: IP = 5.5.5.5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Jan 01 20:39:15 [IKEv1]: IP = 5.5.5.5, Duplicate Phase 1 packet detected. Retransmitting last packet.

Jan 01 20:39:15 [IKEv1]: IP = 5.5.5.5, P1 Retransmit msg dispatched to MM FSM

Jan 01 20:39:15 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE MM Responder FSM error history (struct &0xac4ff070) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent

Jan 01 20:39:15 [IKEv1 DEBUG]: IP = 5.5.5.5, IKE SA MM:2d039532 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Jan 01 20:39:15 [IKEv1 DEBUG]: IP = 5.5.5.5, sending delete/delete with reason message

nathan demers · ‎08-27-2013

Additional note:

This line is inaccurate:

crypto ipsec transform-set Convention esp-aes esp-sha-hmac

Correct line for both FWs

crypto ipsec transform-set Convention esp-aes-256 esp-sha-hmac

nathan demers · ‎08-28-2013

Any thoughts?

nathan demers · ‎08-28-2013

For everyone elses information the tunnel information is correct but the routes were incorrect.

my default gateway was bad.

route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.9 1

route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.9 1

route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.9 1

I was using the outside interface and I needed to send it to the default gateway of the OUTSIDE interface not the interface itself. So in theory it would be

route XPOS-INET 0.0.0.0 0.0.0.0 9.9.9.1 1

route XPOS-INET 10.0.0.0 255.0.0.0 9.9.9.1 1

route XPOS-INET 5.5.5.5 255.255.255.255 9.9.9.1 1

Hope this helps others.

drlbaluyut · ‎03-05-2019

Hi

Were you able to solve this?may i know how?