Solved: Problem with building vpn L2L

bukan_pss · ‎12-11-2021

Hello. I updated ASA5506 from version 9.12(4)10 to 9.14(3)13 and get problem with building tunnel L2L.

At phase 2, i get error:

"Packet may be corrupt... next payload type 129 is invalid"

Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f7cbed28) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 80.

I understand correctly that the problem is somewhere in DWR (129). What is it?

There were no problems before the update.

Settings ikev1 and ipsec :

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Cut from the log:

Dec 11 21:10:19 [IKEv1]IKE Receiver: Packet received on Y.Y.Y.Y:4500 from X.X.X.X:4500

IKEv1 Recv RAW packet dump
b5 8a 46 5c 42 db 3b e2 4d 55 1c 33 db c6 b0 a7 | ..F\B.;.MU.3....
08 10 05 01 f7 cb ed 28 00 00 00 54 3e 44 22 c2 | .......(...T>D".
e6 f5 97 40 17 84 63 14 26 21 e5 13 83 93 cd 0d | ...@..c.&!......
dd b9 d2 b1 7c 21 ec e5 dc e8 a4 88 78 7f cf d9 | ....|!........
d7 df 51 9b 18 67 67 29 6e 35 b1 c6 4a 96 16 25 | ..Q..gg)n5..J..%
05 d9 a5 de | ....

RECV PACKET from X.X.X.X
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 7A9BD8AD
Length: 84

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 7A9BD8AD
Length: 84
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 20
Data:
1e 1d 37 c5 af fd 1a a8 96 83 2c d8 d4 a4 82 3f
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 16
Notify Type: NO_PROPOSAL_CHOSEN
SPI:
b5 8a 46 5c 42 db 3b e2 4d 55 1c 33 db c6 b0 a7
Data: 36 47 23 8e
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=7a9bd8ad) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Received non-routine Notify message: No proposal chosen (14)

RECV PACKET from X.X.X.X
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F7CBED28
Length: 84

AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F7CBED28
Length: 84

Packet may be corrupt... next payload type 129 is invalid
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f7cbed28) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 80
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing delete with reason payload
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Peer Terminate, Phase-2 Proposal Mismatch. Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 163840
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 MIB Table succeeded for SA with logical ID 163840
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec delete with reason payload
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Sending IPSec Delete With Reason message: Phase-2 Proposal Mismatch.
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=bda9ea94) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 68

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b5 8a 46 5c 42 db 3b e2 4d 55 1c 33 db c6 b0 a7 | ..F\B.;.MU.3....
08 10 05 00 94 ea a9 bd 1c 00 00 00 81 00 00 14 | ................
73 e9 be fc 39 6b 79 70 be 64 ac a3 f0 4c 7c ac | s...9kyp.d...L|.
00 00 00 14 00 00 00 01 03 04 00 01 00 00 00 0a | ................
d2 1e 0e 11 | ....

ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: BDA9EA94
Length: 28

Packet may be corrupt... next payload type 129 is invalid

ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: BDA9EA94
Length: 68
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy 10.77.16.0, Local Proxy 172.26.0.0
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE SA MM:5c468ab5 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Session is being torn down. Reason: Phase 2 Mismatch
Dec 11 21:10:19 [IKEv1]Ignoring msg to mark SA with dsID 163840 dead because SA deleted
Dec 11 21:10:19 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xd21e0e11

Rob Ingram · ‎12-11-2021

@bukan_pss in newer ASA software versions, the old insecure encryption, hashing and DH algorithms have been depcreciated. Use AES, SHA and Group 14 - you will obviously need to mirror these changes on the remote peer device.

You can determine exactly what algorithms are supported in ASA version 9.14 using the following link.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-ike.html

View solution in original post

Rob Ingram · ‎12-11-2021

@bukan_pss in newer ASA software versions, the old insecure encryption, hashing and DH algorithms have been depcreciated. Use AES, SHA and Group 14 - you will obviously need to mirror these changes on the remote peer device.

You can determine exactly what algorithms are supported in ASA version 9.14 using the following link.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-ike.html

bukan_pss · ‎12-11-2021

Thank you.