cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1177
Views
0
Helpful
1
Replies

Site to Site Phase 2 issue - Unknown identification type, Phase 2, Type 7

FAmore555
Level 1
Level 1

Hi Everyone! 

 

I'm trying to get a tunnel up between a 5520 ASA & a Cisco RV325 WAN VPN Router and having issues getting this tunnel up, i hope someone can shed some light on what this message means? Any help is appreciated thanks!

 


Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, processing SA payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, Oakley proposal is acceptable
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, Received DPD VID
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, processing IKE SA payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 18
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing ISAKMP SA payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, processing ke payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, processing ISA_KE payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, processing nonce payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing ke payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing nonce payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing Cisco Unity VID payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing xauth V6 VID payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, Send IOS VID
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, constructing VID payload
Aug 28 16:16:24 [IKEv1 DEBUG]IP = X.X.X.X, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Generating keys for Responder...
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing ID payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing ID payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing hash payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing dpd vid payload
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, Keep-alive type for this connection: DPD
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Starting P1 rekey timer: 15648 seconds.
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 42242048
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 MIB Table succeeded for SA with logical ID 42242048
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f743418a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing SA payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing nonce payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing ID payload
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Received remote IP Proxy Subnet data in ID Payload: Address X.X.X.X, Mask 255.255.255.0, Protocol 0, Port 0
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing ID payload
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Unknown identification type, Phase 2, Type 7
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Error processing payload: Payload ID: 5
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0x76cb2118, mess id 0xf743418a)!
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE QM Responder FSM error history (struct &0x76cb2118) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE SA MM:caee9596 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 42242048
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 MIB Table succeeded for SA with logical ID 42242048
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE SA MM:caee9596 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IKE delete payload
Aug 28 16:16:24 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=89bca91a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Warning: Ignoring IKE SA (src) without VM bit set
Aug 28 16:16:24 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Session is being torn down. Reason: Unknown
Aug 28 16:16:24 [IKEv1]IP = X.X.X.X, Received encrypted packet with no matching SA, dropping
Aug 28 16:16:34 [IKEv1]IP = X.X.X.X, Received encrypted packet with no matching SA, dropping
Aug 28 16:16:54 [IKEv1]IP = X.X.X.X, Received encrypted packet with no matching SA, dropping
Aug 28 16:17:34 [IKEv1]IP = X.X.X.X, Received encrypted packet with no matching SA, dropping

1 Reply 1

Hi,
Check the interesting traffic ACL on both ends and confirm they match, check to see if you have identical settings in the transform set and confirm that you have a NAT exemption rule configured.

HTH