This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 to Cisco ASA Not Progressing to Phase 2

I am trying to connect a UTM9 to a Cisco ASA IPSec s2s endpoint.

It seems that Phase 1 succeeds, but we never progress to Phase 2.

Log from UTM below.

Any pointers?

2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: initiating Main Mode
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: enabling possible NAT-traversal with method RFC 3947
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: ignoring Vendor ID payload [Cisco-Unity]
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: received Vendor ID payload [XAUTH]
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: ignoring Vendor ID payload [6f3bb05bc8d2f5d6d5cf87f100489425]
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: received Vendor ID payload [Dead Peer Detection]
2014:10:23-16:21:58 sophos-router pluto[6686]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: Peer ID is ID_IPV4_ADDR: 'IP.REDACTED'
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: ISAKMP SA established
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
2014:10:23-16:21:58 sophos-router pluto[6686]: "S_ABCD-Tunnel" #1: received Delete SA payload: deleting ISAKMP State #1

This thread was automatically locked due to age.

Parents

0 rcrcr over 10 years ago

We are seeing this on the Cisco:

Oct 24 15:32:59 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Oct 24 15:32:59 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Oct 24 15:32:59 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Thing is, both sides are set to Group 5. When we switched to Group 2 on both sides, the log was reversed:

Rcv'd: Group 5  Cfg'd: Group 2
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rcrcr over 10 years ago

We are seeing this on the Cisco:

Oct 24 15:32:59 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Oct 24 15:32:59 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Oct 24 15:32:59 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

Thing is, both sides are set to Group 5. When we switched to Group 2 on both sides, the log was reversed:

Rcv'd: Group 5  Cfg'd: Group 2
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data