Solved: Re: Phase 2 is failing because no matching SA available

AtifKhan17553 · ‎01-07-2024

Hi

Trying to build VPN between ASA and Juniper FW.

I have ASA on one end and the other end is Junipser SRX that sits behind another Juniper FW.

I am using ikev2 and phase 1 comes up but phas2 is failing.

Please can someone help and look at the ASA logs attached to identify the problem?

Thanks : )

BlakeBratu · ‎01-07-2024

'IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN

IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN'

Did you change the integrity in your ipsec-proposal to match up to the sha256 value for integrity?

View solution in original post

BlakeBratu · ‎01-07-2024

'IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN

IKEv2-PROTO-1: (734): Failed to find a matching policy
IKEv2-PROTO-1: (734): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN'

Did you change the integrity in your ipsec-proposal to match up to the sha256 value for integrity?

AtifKhan17553 · ‎01-08-2024

Hi

Thanks for the reply I have matched integrity on both ends but still, VPN has not come up

ASA kind of build the Phase 1 and Phase 2 but on SRX don't see any SA and keeps negotiation failing

root@CORE-SRX>

ID Port Gateway Pending SAs Tunnel Down Reason
131073 500 188.84.131.2 1 No response from peer. Negotiation failed (53 times)

AtifKhan17553 · ‎01-08-2024

On ASA I see the following error but could not understand : |

length: 256IKEv2-PROTO-1: A supplied parameter is incorrect
IKEv2-PROTO-1:
IKEv2-PROTO-1: Could not find neg context
IKEv2-PROTO-1: Couldn't find matching SA

MHM Cisco World · ‎01-08-2024

 31842079     188.84.131.2/4500   197.168.10.10/15001      READY    RESPONDER

the remote use use unknown UDP port 15001 ??
contact them and correct the port to be 500 or 4500 (if there is NAT)

MHM

AtifKhan17553 · ‎01-09-2024

Hi Thanks for reply

Let me share my Topology for better understanding

Yes ASA FW is a respondent and SRX FW is the one that initiates the the VPN negotiation.

IP 197.168.10.10 is the Nated IP and FW that initiates the VPN negotiation has the original IP 172.168.12.2

Following is my NAT configuration.

set security nat source pool ASA-VPN-NAT-POOl address 197.168.10.10/32
set security nat source rule-set my-rule-set from zone TRANSIT-ZONE
set security nat source rule-set my-rule-set to zone untrust
set security nat source rule-set my-rule-set rule r-1 match source-address 172.168.12.2/32
set security nat source rule-set my-rule-set rule r-1 match destination-address 188.84.131.2/32
set security nat source rule-set my-rule-set rule r-1 then source-nat pool ASA-VPN-NAT-POOl

I have checked NAT is taking place correctly and no issue. On my internal SRX I can see the packed from ASW [188.84.131.2] on port 4500 are received but internal FW is dropping the packed even though I have allowed that flow in the policy. I have included the packet capture from FW. [SRX-NG-Dropping-UDP4500.txt]

MHM Cisco World · ‎01-09-2024

I dont have a lot infor about NAT in juniper
but you need static NAT 1:1 or PAT for port 4500 and 500
I think using pool is not keep UDP port same
MHM

AtifKhan17553 · ‎01-11-2024

Hi All

Thanks for your help I have managed to fix the issue. My Core SRX was dropping the traffic for port 4500. I did share the log in my previous post under "SRX-NG-Droping-UDP4500".

This was due to ike protocol that was not enabled on the SRX interfaces and FW was dropping the the traffic

Actually, in my config, I did allow that traffic under the zone level but I was not aware that I needed to allow that ike protocol at the interface level of the FW .

Config that was not working

set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ping
set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ike
set security zones security-zone TRANSIT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

Once I changed the config to the following it started working

set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ping
set security zones security-zone TRANSIT-ZONE host-inbound-traffic system-services ike
set security zones security-zone TRANSIT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

set security zones security-zone TRANSIT-ZONE interfaces ge-0/0/1.0 host-inbound-traffic system-services ike

----------------------------------------------------------------------------------------------------------

Thanks

MHM Cisco World · ‎01-11-2024

You are so so welcome

Glad my suggestion help you

Have a nice weekend

MHM

j.a.m.e.s · ‎05-29-2024

We hit something similar:

IKEv2-PROTO-2: (903): Failed to find a matching policy
IKEv2-PROTO-2: (903): Received Policies:
ESP: Proposal 1:  AES-CBC-256 SHA512 DH_GROUP_521_ECP/Group 21 Don't use ESN

After checking the ipsec-proposal config on the ASA everything looked good and should have matched.

This was during the usual IKE debugs:

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

In the end it was a simple matter that we were doing a VTI on ASA and we forgot to configure a tunnel ip address.

interface TunX
 description FarSide-SiteX
 nameif vtiX
 ip address 10.1.1.0 255.255.255.254 <-- We were missing this
 tunnel source interface external
 tunnel destination 1.1.1.X
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PR-FARSIDE
 tunnel protection ipsec policy CACL-FARSIDE
exit