Phase 2 type code table needed

Unanswered Question
Jul 13th, 2009

Hi, we have the following error with a L2L tunnel between ASA 5540 ver 8.0(3) and a Sonicwall:

<163>%ASA-3-713016: Group = x.y.z.w, IP = x.y.z.w, Unknown identification type, Phase 2, Type 7

What does it mean ?

Do you have a phase 2 type code table ?


I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
dsweeny Fri, 07/17/2009 - 14:14

VPN tunnel between ASA and Sonicwall is failing in phase II. The logs indicate that the crypto ACL is not matching, hence the tunnel is failing. Unknown identification type, Phase 2, Type 7

ahmad82pkn Fri, 11/11/2011 - 17:11

Hi dsweeny, I had same issue like poster of the thread, and your suggestion resolved my issues, thank you very much

apdatasoft Wed, 11/11/2009 - 22:35


Have you resolved the issue. If so please let me know the solution, since i do have the same problem when i do an Site-2-Site VPN tunnel between Sonicwall to ASA 5520 ver 8.0(4)

Thanks in advance

Patrick0711 Mon, 11/14/2011 - 14:10

RFC 2407:

       ID Type                   Value
       -------                   -----
       RESERVED                            0
       ID_IPV4_ADDR                        1
       ID_FQDN                             2
       ID_USER_FQDN                        3
       ID_IPV4_ADDR_SUBNET                 4
       ID_IPV6_ADDR                        5
       ID_IPV6_ADDR_SUBNET                 6
       ID_IPV4_ADDR_RANGE                  7
       ID_IPV6_ADDR_RANGE                  8
       ID_DER_ASN1_DN                      9
       ID_DER_ASN1_GN                      10
       ID_KEY_ID                           11

ASA will only support ID_IPV4_ADDR and ID_IPV4_ADDR_SUBNET when you're specifying proxy ID information AFAIK

Arun Nair Mon, 11/14/2011 - 22:36

Whenever you are peering between multiple vendors, make sure you set the proxy-id in the remote non-cisco vendor. Faced this issue a couple of times.

imfvieira Tue, 01/14/2014 - 11:50

I got this problem too. We have a ASA 5580 - 8.2 that is used with VPN.

Our ASA --> Sonic Wall => Phase 1 and 2 are ok.

Sonic Wall --> Our ASA ==> Phase 1 ok and Phase 2 shows the same message.

So I asked to SonicWall admin check if they are sending correct Local and Remote Address.

Maybe it´s the Remote Address on their side because we have two hosts on our local network and the ID is showing that they are sending a IP range instead of 2 hosts (or two ip/32).

If it doesn´t solve, next try will be the proxy-id.


This Discussion