12-23-2011 12:32 PM - edited 02-21-2020 05:47 PM
I am trying to setup a ASA to accept an IPSEC connection from a MS VPN client. I followed the setup as outlined in Cisco DOC id #71028. I am getting console output that sees the client trying to connect -
Dec 23 2011 14:23:22: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Dec 23 2011 14:23:22: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Dec 23 2011 14:23:22: %ASA-3-713048: IP = 165.221.79.105, Error processing payload: Payload ID: 1
I have verified I am using the right passphrase. Since this is failing at phase 1, I would think I have a passphrase but have verified I am using the same passphrase on both ends.
Here is the ipsec config from the ASA -
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 165.221.64.58 165.221.66.146
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value mydomain
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key cisco
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
I am setting up the MS VPN client and have tried several different configurations with no luck. If anyone knows of a document that shows how to setup the MS VPN client to work with the above mentioned Cisco config, I would appreciate a link to the doc. I would prefer to be using Anyconnect but no money in the budget for the licensing.
Since first posting this message, I have also tried the Shrew IPSEC client, I can get past the phase 1 failure which would indicate a problem with the MS VPN client (no surprise there).
Thanks,
Ron
12-23-2011 01:50 PM
Looks like I have found some explanation for the problem -
Dec 23 2011 15:46:28: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
After doing some digging, I found this link - http://www.firewall.cx/forum/1-design-installation-a-troubleshooting/33635-asa-5505-vpn-problem.html
It appears that the error I am getting refers to a problem with the MS VPN client not support diffie-helman group 2. I tried dh version numbers and ran into the same error but with different numbers.
Anybody gotten the MS VPN Client to work ?
12-23-2011 02:19 PM
Hi
can you try once - remove -vpn-tunnel-protocol IPSec l2tp-ipsec and use just vpn-tunnel-protocol l2tp-ipsec ?
Thanks
Ajay
12-23-2011 02:28 PM
Didnt make any difference. Still seeing the error -
Dec 23 2011 16:26:19: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
I have been doing some digging and it looks like the MS VPN client doesnt use diffie-hellman. I found this link - http://www.draytek.com/user/SupportAppnotesDetail.php?ID=144 that is supposed to be how to get MS to use DH on VPN connections. Have been working with that for a while and no luck. With my luck, Windows 7 64-bit needs something different to get it to play nice with DH.
12-23-2011 02:49 PM
One more try please change isakmp policy and use hash sha1.
I hope this will solve.
12-27-2011 04:58 AM
Ajay:
Just had a chance to try this. We were close for Christmas and just got back in this morning.
Changing the ISAKMP policy made no difference. Still seeing the following on the console screen -
Dec 27 2011 06:55:21: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Dec 27 2011 06:55:21: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Dec 27 2011 06:55:21: %ASA-3-713048: IP = 165.221.79.105, Error processing payload: Payload ID: 1
What I can find is still pointing me in the direction of the MS VPN client not being configured to use Diffie Hellman. I have also been talking to TAC on this and have made zero progress there. No one in TAC seems to know how to get the MS client to work.
Thanks for your help. Still looking for a way to get this to work. There must be others who have gotten this to work.
Ron
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide