Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Unable to connect to ikev1 ipsec on ASA 5512
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
4015
Views
0
Helpful
2
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2017 05:56 AM - edited 03-12-2019 06:23 PM
Hello,
We are in the process of upgrading our Cisco ASA 5510 running 8.2(5)55 to a 5512 running 9.8(2) and are having some issues connecting to our remote access vpn with certain clients. The majority of our clients are running shrewsoft which is not having issues connecting to the new firewall. However, we are having issues connecting using racoon from the the built in vpn utility on both Android and Mac.
The setup has not changed on our ASA but we are showing fragmented packets in our debug when connecting to the new firewall. Below is an example of a successful attempt to the older firewall and a failed attempt to the new one.
Passed
10-13 08:31:38.850 vpn 10993 10993 D racoon : Waiting for control socket 10-13 08:31:39.027 vpn 10993 10993 D racoon : Received 11 arguments 10-13 08:31:39.027 vpn 10993 10993 I racoon : ipsec-tools 0.7.3 (http://ipsec-tools.sf.net) 10-13 08:31:39.063 vpn 10993 10993 I racoon : 192.168.10.198[500] used as isakmp port (fd=7) 10-13 08:31:39.063 vpn 10993 10993 I racoon : 192.168.10.198[500] used for NAT-T 10-13 08:31:39.063 vpn 10993 10993 I racoon : 192.168.10.198[4500] used as isakmp port (fd=8) 10-13 08:31:39.063 vpn 10993 10993 I racoon : 192.168.10.198[4500] used for NAT-T 10-13 08:31:39.064 vpn 10993 10993 I racoon : initiate new phase 1 negotiation: 192.168.10.198[500]<=>x.x.x.246[500] 10-13 08:31:39.064 vpn 10993 10993 I racoon : begin Identity Protection mode. 10-13 08:31:39.245 vpn 10993 10993 I racoon : received Vendor ID: RFC 3947 10-13 08:31:39.245 vpn 10993 10993 I racoon : received broken Microsoft ID: FRAGMENTATION 10-13 08:31:39.245 vpn 10993 10993 I racoon : Selected NAT-T version: RFC 3947 10-13 08:31:39.247 vpn 10993 10993 I racoon : Hashing x.x.x.246[500] with algo #1 10-13 08:31:39.247 vpn 10993 10993 I racoon : Hashing 192.168.10.198[500] with algo #1 10-13 08:31:39.247 vpn 10993 10993 I racoon : Adding remote and local NAT-D payloads. 10-13 08:31:39.260 vpn 10993 10993 I racoon : received Vendor ID: CISCO-UNITY 10-13 08:31:39.260 vpn 10993 10993 I racoon : received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 10-13 08:31:39.260 vpn 10993 10993 I racoon : Hashing 192.168.10.198[500] with algo #1 10-13 08:31:39.260 vpn 10993 10993 I racoon : NAT-D payload #0 doesn't match 10-13 08:31:39.260 vpn 10993 10993 I racoon : Hashing x.x.x.246[500] with algo #1 10-13 08:31:39.260 vpn 10993 10993 I racoon : NAT-D payload #1 verified 10-13 08:31:39.260 vpn 10993 10993 I racoon : NAT detected: ME 10-13 08:31:39.260 vpn 10993 10993 I racoon : KA list add: 192.168.10.198[4500]->x.x.x.246[4500] 10-13 08:31:39.382 vpn 10993 10993 I racoon : received Vendor ID: DPD 10-13 08:31:39.383 vpn 10993 10993 W racoon : unable to get certificate CRL(3) at depth:0 SubjectName:/L=YYYYYY/ST=YYY/C=YYY/O=YYYY/OU=YYYY/CN=YYYY 10-13 08:31:39.383 vpn 10993 10993 W racoon : unable to get certificate CRL(3) at depth:1 SubjectName:/CN=YYYYY 10-13 08:31:39.392 vpn 10993 10993 I racoon : ISAKMP-SA established 192.168.10.198[4500]-x.x.x.246[4500] spi:cff99fd2384335e5:9095a550c2427d41 10-13 08:31:40.682 vpn 10993 10993 I racoon : XAUTH Message: 'Enter Username and Password.'. 10-13 08:31:42.844 vpn 10993 10993 W racoon : Ignored attribute UNITY_SPLITDNS_NAME 10-13 08:31:42.844 vpn 10993 10993 W racoon : Ignored attribute APPLICATION_VERSION 10-13 08:31:43.967 vpn 10993 10993 I racoon : initiate new phase 2 negotiation: 192.168.10.198[4500]<=>x.x.x.246[4500] 10-13 08:31:43.967 vpn 10993 10993 I racoon : NAT detected -> UDP encapsulation (ENC_MODE 1->3). 10-13 08:31:44.125 vpn 10993 10993 W racoon : attribute has been modified. 10-13 08:31:44.126 vpn 10993 10993 I racoon : Adjusting my encmode UDP-Tunnel->Tunnel 10-13 08:31:44.126 vpn 10993 10993 I racoon : Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 10-13 08:31:44.126 vpn 10993 10993 W racoon : authtype mismatched: my:hmac-sha512 peer:hmac-sha 10-13 08:31:44.126 vpn 10993 10993 W racoon : authtype mismatched: my:hmac-sha384 peer:hmac-sha 10-13 08:31:44.127 vpn 10993 10993 I racoon : IPsec-SA established: ESP/Tunnel x.x.x.246[0]->192.168.10.198[0] spi=62500005(0x3b9aca5) 10-13 08:31:44.127 vpn 10993 10993 I racoon : IPsec-SA established: ESP/Tunnel 192.168.10.198[4500]->x.x.x.246[4500] spi=1525458389(0x5aeca5d5)
Failed
10-12 16:55:08.716 vpn 3346 3346 D racoon : Waiting for control socket 10-12 16:55:08.898 vpn 3346 3346 D racoon : Received 11 arguments 10-12 16:55:08.898 vpn 3346 3346 I racoon : ipsec-tools 0.7.3 (http://ipsec-tools.sf.net) 10-12 16:55:08.919 vpn 3346 3346 I racoon : 192.168.10.198[500] used as isakmp port (fd=7) 10-12 16:55:08.919 vpn 3346 3346 I racoon : 192.168.10.198[500] used for NAT-T 10-12 16:55:08.919 vpn 3346 3346 I racoon : 192.168.10.198[4500] used as isakmp port (fd=8) 10-12 16:55:08.919 vpn 3346 3346 I racoon : 192.168.10.198[4500] used for NAT-T 10-12 16:55:08.919 vpn 3346 3346 I racoon : initiate new phase 1 negotiation: 192.168.10.198[500]<=>x.x.x.246[500] 10-12 16:55:08.919 vpn 3346 3346 I racoon : begin Identity Protection mode. 10-12 16:55:08.937 vpn 3346 3346 I racoon : received Vendor ID: RFC 3947 10-12 16:55:08.937 vpn 3346 3346 I racoon : received broken Microsoft ID: FRAGMENTATION 10-12 16:55:08.937 vpn 3346 3346 I racoon : Selected NAT-T version: RFC 3947 10-12 16:55:08.939 vpn 3346 3346 I racoon : Hashing x.x.x.246[500] with algo #1 10-12 16:55:08.939 vpn 3346 3346 I racoon : Hashing 192.168.10.198[500] with algo #1 10-12 16:55:08.939 vpn 3346 3346 I racoon : Adding remote and local NAT-D payloads. 10-12 16:55:11.969 vpn 3346 3346 E racoon : Missing fragment #3 10-12 16:55:11.969 vpn 3346 3346 E racoon : Packet reassembly failed 10-12 16:55:14.989 vpn 3346 3346 I racoon : received Vendor ID: CISCO-UNITY 10-12 16:55:14.989 vpn 3346 3346 I racoon : received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 10-12 16:55:14.989 vpn 3346 3346 I racoon : Hashing 192.168.10.198[500] with algo #1 10-12 16:55:14.989 vpn 3346 3346 I racoon : NAT-D payload #0 doesn't match 10-12 16:55:14.989 vpn 3346 3346 I racoon : Hashing x.x.x.246[500] with algo #1 10-12 16:55:14.989 vpn 3346 3346 I racoon : NAT-D payload #1 verified 10-12 16:55:14.989 vpn 3346 3346 I racoon : NAT detected: ME 10-12 16:55:14.990 vpn 3346 3346 I racoon : KA list add: 192.168.10.198[4500]->x.x.x.246[4500] 10-12 16:55:15.121 vpn 3346 3346 W racoon : remote address mismatched. db=x.x.x.246[4500], act=x.x.x.246[500] 10-12 16:55:15.324 vpn 3346 3346 E racoon : Missing fragment #4 10-12 16:55:15.324 vpn 3346 3346 E racoon : Packet reassembly failed 10-12 16:55:16.433 vpn 3346 3346 W racoon : Short payload 10-12 16:55:18.547 vpn 3346 3346 I racoon : received Vendor ID: DPD 10-12 16:55:18.557 vpn 3346 3346 I racoon : ISAKMP-SA established 192.168.10.198[4500]-x.x.x.246[4500] spi:89a926568edcd07a:193052c2f20b9d10 10-12 16:55:18.557 vpn 3346 3346 W racoon : Short payload 10-12 16:55:48.705 vpn 3346 3346 W racoon : Short payload 10-12 16:56:08.806 vpn 3346 3346 I racoon : Connection is closed 10-12 16:56:08.808 vpn 3346 3346 I racoon : Bye
Can anyone provide any insight into this? There has been no changes to the client config yet we are able to connect with shrewsoft without making any changes. Any help is appreciated!
Thank You,
Carlos
Solved! Go to Solution.
Labels:
- Labels:
-
Other VPN Topics
1 Accepted Solution
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 01:49 PM
I would just like to let anyone know that this issue was resolved and it was caused by the fragment chain option.
We set our ASA for the following
'fragment chain 12 outside'
after it was originally set for the default of 24, this resolved the issue. We were also able to connect with 'fragment chain 1 outside' but this caused issues for some of our other clients. Hope this can save someone some headache.
2 Replies 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2017 06:30 AM
Here is the output from the new ASA when the client fails to connect
5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:51|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1 5|Oct 13 2017|09:16:54|713201|||||IP = x.x.x.190, Duplicate Phase 1 packet detected. Retransmitting last packet. 6|Oct 13 2017|09:16:54|713905|||||IP = x.x.x.190, P1 Retransmit msg dispatched to MM FSM 5|Oct 13 2017|09:16:57|713201|||||IP = x.x.x.190, Duplicate Phase 1 packet detected. Retransmitting last packet. 6|Oct 13 2017|09:16:57|713905|||||IP = x.x.x.190, P1 Retransmit msg dispatched to MM FSM 6|Oct 13 2017|09:16:57|713172|||||IP = x.x.x.190, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device 6|Oct 13 2017|09:16:57|713905|||||IP = x.x.x.190, Floating NAT-T from x.x.x.190 port 500 to x.x.x.190 port 4500 4|Oct 13 2017|09:16:57|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: yyy, subject name: cn=yyy,ou=Operations,o=yyy,st=yyy,c=yyy, issuer_name: cn=yyy,o=yyy,l=yyy,st=yyy,c=y. 6|Oct 13 2017|09:16:57|717022|||||Certificate was successfully validated. serial number: yyy, subject name: cn=yyyy,ou=Operations,o=yyy,st=yyy,c=yyy. 6|Oct 13 2017|09:16:57|717028|||||Certificate chain was successfully validated with warning, revocation status was not checked. 5|Oct 13 2017|09:17:00|713201|||||Group = Operations, IP = x.x.x.190, Duplicate Phase 1 packet detected. Retransmitting last packet. 6|Oct 13 2017|09:17:00|713905|||||Group = Operations, IP = x.x.x.190, P1 Retransmit msg dispatched to MM FSM 5|Oct 13 2017|09:17:51|713050|||||Group = Operations, IP = x.x.x.190, Connection terminated for peer . Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0 6|Oct 13 2017|09:17:51|713905|||||Group = Operations, IP = x.x.x.190, Warning: Ignoring IKE SA (src) without
Please let me know if any other information is needed
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2017 01:49 PM
I would just like to let anyone know that this issue was resolved and it was caused by the fragment chain option.
We set our ASA for the following
'fragment chain 12 outside'
after it was originally set for the default of 24, this resolved the issue. We were also able to connect with 'fragment chain 1 outside' but this caused issues for some of our other clients. Hope this can save someone some headache.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents