Admin - Merged thread from duplicate thread
Hi,
I am facing an issue that am not sure what i need to be checking on. I have an IPSEC connection that seems to be identical on both the sophos and the Cisco ASA end. When I attempt to start the connection, the phase1 comes up but the phase2 fails. When cisco ASA initiates the connection, the phase2 comes up and I can connect to devices on the remote side behind the ASA. If I terminate the connection, i cannot start the phase2 unless Cisco ASA initiates from their end by attempting to pass me traffic.
WHat do I need to check on?
Hi,
I am unable to initiate the IPSEC connection as much as I am set to be the initiator. The remote device is an ASA that is able to initiate the connection for it to work. Only logs I can find that are errors are:
2020-05-28 22:51:15 26[IKE] <vpn001-1|31> establishing CHILD_SA vpn001-8
2020-05-28 22:51:15 26[ENC] <vpn001-1|31> generating CREATE_CHILD_SA request 8 [ SA No TSi TSr ]
2020-05-28 22:51:15 26[NET] <vpn001-1|31> sending packet: from a.a.a.a[4500] to b.b.b.b[4500] (284 bytes)
2020-05-28 22:51:15 15[NET] <vpn001-1|31> received packet: from b.b.b.b[4500] to a.a.a.a[4500] (76 bytes)
2020-05-28 22:51:15 15[ENC] <vpn001-1|31> parsed CREATE_CHILD_SA response 8 [ N(NO_PROP) ]
2020-05-28 22:51:15 15[IKE] <vpn001-1|31> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
2020-05-28 22:51:15 15[DMN] <vpn001-1|31> [GARNER-LOGGING] (child_alert) ALERT: the received CHILD_SA proposals did not match: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/NO_EXT_SEQ
2020-05-28 22:51:15 15[IKE] <vpn001-1|31> creating CHILD_SA failed, trying again in 69 seconds
This thread was automatically locked due to age.
