Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
2
Replies

S2S VPN version 2 mismatch

kostasthedelegate
Level 4
Level 4

‎03-26-2021 01:47 AM

Hello, 

 

I have an ASA 5506 9.8(4)25 and I am trying to establish a S2S with IBM. 

I pass the phase 1 but I get a message for phase 2 

 

We have agreed with Peer about the algorithms but I get the following output:

Mar 26 09:25:58 [IKEv1]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, All IPSec SA proposals found unacceptable!

Mar 26 09:25:58 [IKEv1]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, QM FSM error (P2 struct &0x00007f2acaadbb70, mess id 0x20a66dec)!
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE QM Responder FSM error history (struct &0x00007f2acaadbb70)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, sending delete/delete with reason message
Mar 26 09:25:58 [IKEv1]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from correlator table failed, no match!
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE SA MM:d9244bbd rcv'd Terminate: state MM_ACTIVE  flags 0x00018042, refcnt 1, tuncnt 0
Mar 26 09:25:58 [IKEv1]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 187895808
Mar 26 09:25:58 [IKEv1]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Remove from IKEv1 MIB Table succeeded for SA with logical ID 187895808
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE SA MM:d9244bbd terminating:  flags 0x01018002, refcnt 0, tuncnt 0
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, sending delete/delete with reason message
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing blank hash payload
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing IKE delete payload
Mar 26 09:25:58 [IKEv1 DEBUG]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing qm hash payload
Mar 26 09:25:58 [IKEv1]IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=459cddee) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Mar 26 09:25:58 [IKEv1]Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Session is being torn down. Reason: Phase 2 Mismatch
Mar 26 09:25:58 [IKEv1]Ignoring msg to mark SA with dsID 187895808 dead because SA deleted

Any clue what might be wrong?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎03-26-2021 01:54 AM

Hi, Check if PFS is enabled or disabled on both ends. You could aso check you are both using ESP and the same tunnel mode (tunnel/transport).

 

0 Helpful

kostasthedelegate
Level 4
Level 4

‎03-28-2021 10:20 PM

Hello, 

 

The phase 2 mismatch was the sha algorithm. 

 

It is up now

0 Helpful
Customers Also Viewed These Support Documents