Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2142
Views
10
Helpful
7
Replies

VPN ASA with Fortgate

Go to solution
marcio.tormente
Level 4
Level 4

‎04-18-2016 01:24 PM

Hello Folks!

I always have problem with VPN...LOL

I create a new VPN site-to-site between ASA 5510 (IOS 8.42) and Fortgate, but something is very strange, the VPN don´t come UP and I see in the debug crypto ikev1 10 the folow log:

 [IKEv1]Phase 1 failure: Mismatched attribute types for class Gr oup Description: Rcv'd: Group 1 Cfg'd: Group 2

But if I ask the other peer to change to group 2, the msg in the ASA is: 

 [IKEv1]Phase 1 failure: Mismatched attribute types for class Gr oup Description: Rcv'd: Group 2 Cfg'd: Group 1

Fortgate is possible to enable both to specific VPN group 1 and 2, and I ask to the other peer to left this way and the ASA show:

 [IKEv1]Phase 1 failure: Mismatched attribute types for class Gr oup Description: Rcv'd: Group 2 Cfg'd: Group 1
 [IKEv1]Phase 1 failure: Mismatched attribute types for class Gr oup Description: Rcv'd: Group 1 Cfg'd: Group 2

The show isakmp sa:

9 IKE Peer: 179.124.32.181
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3

I delete and creat the VPN 3x and the same error occur.

Anyone saw this kind of problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David99
Level 1
Level 1

‎04-20-2016 12:53 AM

Is this using Fortigate version 5 by any chance?

I have seen VPN issues with Cisco ASA's on numerous occasions with this Fortigate code, though mainly this has been a Phase 2 issue and setting the KB lifetime to maximum on the ASA side has resolved it...however this seems not to be your issue here.

First thing from your config though, I see you have PFS enabled - have you ensured this is set on the Fortinet side, or tried turning it off on the Cisco side to see if that comes up?

Being stuck at MM_WAIT_MSG3 means that you have sent back your policies but then you have not recieved the third packet in the ISAKMP exchange so either the Fortigate is unhappy about something or there is a routing issue (though, unlikely since you have already had communication)

Try on the ASA side:

debug crypto isakmp 7

Also can you confrm that your outside interface is 'outside1'? You can see this from 'show ip'

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-19-2016 10:55 AM

Perhaps you could post your crypto config?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4
In response to Richard Burts

‎04-19-2016 11:52 AM

Hello Richard!

Thanks for your support

Follow the config:

crypto map outside1_map 1 match address outside1_cryptomap
crypto map outside1_map 1 set pfs
crypto map outside1_map 1 set peer 179.124.32.181
crypto map outside1_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside1_map interface outside1

!

procarta-asa# sh run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 enable vpn
crypto ikev1 enable outside1
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 6
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 7
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 8
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

!

Phase 2 is group 2 as well.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to marcio.tormente

‎04-20-2016 05:30 PM

Hi Marcio,

Please configure similar policies for group 1 in phase 1 as well.

crypto ikev1 policy 7
authentication pre-share
encryption aes
hash sha
group 2------create similar policy like this but change the group to 1 
lifetime 28800

Let me know if it works.

Regards,

Aditya

Please rate helpful posts.

Go to solution
David99
Level 1
Level 1

‎04-20-2016 12:53 AM

Is this using Fortigate version 5 by any chance?

I have seen VPN issues with Cisco ASA's on numerous occasions with this Fortigate code, though mainly this has been a Phase 2 issue and setting the KB lifetime to maximum on the ASA side has resolved it...however this seems not to be your issue here.

First thing from your config though, I see you have PFS enabled - have you ensured this is set on the Fortinet side, or tried turning it off on the Cisco side to see if that comes up?

Being stuck at MM_WAIT_MSG3 means that you have sent back your policies but then you have not recieved the third packet in the ISAKMP exchange so either the Fortigate is unhappy about something or there is a routing issue (though, unlikely since you have already had communication)

Try on the ASA side:

debug crypto isakmp 7

Also can you confrm that your outside interface is 'outside1'? You can see this from 'show ip'

0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4
In response to David99

‎04-20-2016 05:48 AM

Hello David!

Thanks for your support

I saw some people on the internet with lifetime issue and I change this on ASA, but the result stil the same.

PFS is enable because the other side asked me to enable, I have 18 VPN in this ASA and only this new was asked to enable PFS.

I told the other side about the MM_WAIT_MSG3 and he told that in his side is everything okay, we compare all the settings and seems is the same.

Follow the result of degubug isakmp 7

Apr 20 09:37:35 [IKEv1]IP = 179.124.32.181, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 332
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing SA payload
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Oakley proposal is acceptable
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Received NAT-Traversal RFC VID
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Received NAT-Traversal ver 03 VID
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Received NAT-Traversal ver 02 VID
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Received DPD VID
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Received Fragmentation VID
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, Received Fragmentation VID
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing VID payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, processing IKE SA payload
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 6
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, constructing ISAKMP SA payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, constructing NAT-Traversal VID ver 02 payload
Apr 20 09:37:35 [IKEv1 DEBUG]IP = 179.124.32.181, constructing Fragmentation VID + extended capabilities payload
Apr 20 09:37:35 [IKEv1]IP = 179.124.32.181, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Yes, the interface is outside1, I have the outside as well, but everything that is in the outside interface, I hhave to migrate to outside1 (New Link).

0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4

‎04-28-2016 10:57 AM

David,

Was routing problem, but in the Fortigate side.

thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to marcio.tormente

‎04-28-2016 11:32 AM

Thanks for posting back to the forum and letting us know that you have solved the issue and that the problem was a routing issue on the Fortigate side.

HTH

Rick

HTH

Rick
Customers Also Viewed These Support Documents