12-11-2021 10:44 AM
Hello. I updated ASA5506 from version 9.12(4)10 to 9.14(3)13 and get problem with building tunnel L2L.
At phase 2, i get error:
"Packet may be corrupt... next payload type 129 is invalid"
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f7cbed28) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 80.
I understand correctly that the problem is somewhere in DWR (129). What is it?
There were no problems before the update.
Settings ikev1 and ipsec :
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association replay window-size 1024
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
Cut from the log:
Dec 11 21:10:19 [IKEv1]IKE Receiver: Packet received on Y.Y.Y.Y:4500 from X.X.X.X:4500
IKEv1 Recv RAW packet dump
b5 8a 46 5c 42 db 3b e2 4d 55 1c 33 db c6 b0 a7 | ..F\B.;.MU.3....
08 10 05 01 f7 cb ed 28 00 00 00 54 3e 44 22 c2 | .......(...T>D".
e6 f5 97 40 17 84 63 14 26 21 e5 13 83 93 cd 0d | ...@..c.&!......
dd b9 d2 b1 7c 21 ec e5 dc e8 a4 88 78 7f cf d9 | ....|!........
d7 df 51 9b 18 67 67 29 6e 35 b1 c6 4a 96 16 25 | ..Q..gg)n5..J..%
05 d9 a5 de | ....
RECV PACKET from X.X.X.X
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 7A9BD8AD
Length: 84
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 7A9BD8AD
Length: 84
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 20
Data:
1e 1d 37 c5 af fd 1a a8 96 83 2c d8 d4 a4 82 3f
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 32
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 16
Notify Type: NO_PROPOSAL_CHOSEN
SPI:
b5 8a 46 5c 42 db 3b e2 4d 55 1c 33 db c6 b0 a7
Data: 36 47 23 8e
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=7a9bd8ad) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Received non-routine Notify message: No proposal chosen (14)
RECV PACKET from X.X.X.X
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F7CBED28
Length: 84
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F7CBED28
Length: 84
Packet may be corrupt... next payload type 129 is invalid
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f7cbed28) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 80
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing delete with reason payload
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Peer Terminate, Phase-2 Proposal Mismatch. Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 163840
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 MIB Table succeeded for SA with logical ID 163840
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec delete with reason payload
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Sending IPSec Delete With Reason message: Phase-2 Proposal Mismatch.
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload
Dec 11 21:10:19 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=bda9ea94) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 68
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
b5 8a 46 5c 42 db 3b e2 4d 55 1c 33 db c6 b0 a7 | ..F\B.;.MU.3....
08 10 05 00 94 ea a9 bd 1c 00 00 00 81 00 00 14 | ................
73 e9 be fc 39 6b 79 70 be 64 ac a3 f0 4c 7c ac | s...9kyp.d...L|.
00 00 00 14 00 00 00 01 03 04 00 01 00 00 00 0a | ................
d2 1e 0e 11 | ....
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: BDA9EA94
Length: 28
Packet may be corrupt... next payload type 129 is invalid
ISAKMP Header
Initiator COOKIE: b5 8a 46 5c 42 db 3b e2
Responder COOKIE: 4d 55 1c 33 db c6 b0 a7
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: BDA9EA94
Length: 68
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy 10.77.16.0, Local Proxy 172.26.0.0
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
Dec 11 21:10:19 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE SA MM:5c468ab5 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
Dec 11 21:10:19 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Session is being torn down. Reason: Phase 2 Mismatch
Dec 11 21:10:19 [IKEv1]Ignoring msg to mark SA with dsID 163840 dead because SA deleted
Dec 11 21:10:19 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xd21e0e11
Solved! Go to Solution.
12-11-2021 11:02 AM - edited 12-11-2021 11:04 AM
@bukan_pss in newer ASA software versions, the old insecure encryption, hashing and DH algorithms have been depcreciated. Use AES, SHA and Group 14 - you will obviously need to mirror these changes on the remote peer device.
You can determine exactly what algorithms are supported in ASA version 9.14 using the following link.
12-11-2021 11:02 AM - edited 12-11-2021 11:04 AM
@bukan_pss in newer ASA software versions, the old insecure encryption, hashing and DH algorithms have been depcreciated. Use AES, SHA and Group 14 - you will obviously need to mirror these changes on the remote peer device.
You can determine exactly what algorithms are supported in ASA version 9.14 using the following link.
12-11-2021 11:04 AM
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide