Dynamic to Static IPSec with Certificate Authentication

Answered Question

I'm trying to set up a dynamic-to-static LAN2LAN vpn from a ASA 5505 (with a dynamic IP) to an ASA5520 (with a Static IP)
I'd like to have a small (/30) network on the Dynamic side that I can connect to a larger (/24) network on the Static side.
I'm also trying to use Identity Certificates for the Authentication.


I generated a root CA, and intermediate CA, signed the intermediate CA with the root CA, and then created identity CAs for
the ASAs, and signed them with the intermediate CA using OpenSSL, and imported them to a trustpoint


I tried using the instructions at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
to set up the certificates (replacing MS with OpenSSL) and using the instructions at:


I then tried to use the ASDM to set the appropriate indentity cert on the outside interface
[ Configuration->Device Management->Advanced->SSL Settings ]


and set up a Connection Profile [ Configuration->Device Management->Connection Profiles ] on both devices,
setting the side that gets its IP via DHCP to static and the side that has the permanent IP to accept from dynamic.


I apply settings and nothing happens.


show crypto isakmp just returns "There are no isakmp sas".


I'm not sure where to begin debugging this. How do I force the DHCP side to initiate a connection?

Correct Answer by Ivan Martinon about 7 years 5 months ago

Are we sure both Peers are using the same isakmp settings? it seems the policy that uses rsa-sig on one end uses a diff DH Group.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Wed, 12/02/2009 - 11:05
User Badges:
  • Cisco Employee,


Gary,


Since this is an IPSEC connection, SSL is not where you need to bound the Certificate to, you need to bound it to the tunnel group for authentication, in your case to your DefaultL2LGroup on the side of the static ASA and on the tunnel group for the server on the dynamic side, once you have done that and you have all the isakmp/ipsec settings, you need to start some kind of traffic through the tunnel to make it come up, then you can debug if it does not work.

Advised debugs are:


debug crypto isakmp 15

debug crypto ca messages


The 2 above is in the case the tunnel is not established and try to make them on the 5520


debug crypto ipsec 15


As well try to make sure that your 5505 inside traffic starts the vpn.

When I go to [ Configuration -> Site-to-Site VPN -> Tunnel groups ] and Select the DefaultL2LGroup, click
"Edit" It allows me to "Edit IPsec Site-to-Site Tunnel Group: DefaultL2LGroup".


But when I set the "Identity Certificate" to the trustpoint I put under
[ Configuration -> Site-to-Site VPN -> Certificate Management -> Identity Certificates ]
the Tunnel Groups Summary Pane updates to:

   "DefaultL2LGroup| -- None -- | True | DfltGrpPolicy",

and if I set it to "-- None --" in the pop-up Dialog, the Summary Pane reads:

   "DefaultL2LGroup|                  | True | DfltGrpPolicy".


I'm assuming it should read something like:

   "DefaultL2LGroup| ASDM_TrustPoint3 | True | DfltGrpPolicy"


Is this a bug or something? How do I associate an Identity Certificate from the command-line to work around this?


I'm using:
boot system disk0:/asa821-k8.bin
asdm image disk0:/asdm-621.bin

Ivan Martinon Thu, 12/03/2009 - 09:14
User Badges:
  • Cisco Employee,

Go ahead and enable management-access inside on both firewalls and ping the inside interface of the static one from the remote one using


ping inside X.X.X.X

Ivan Martinon Thu, 12/03/2009 - 11:05
User Badges:
  • Cisco Employee,

Actually that is phase 1, check your isakmp and cert settings, debug crypto isakmp 15 and debug crypto ca messages 15 too.

################################################################################
# I want to create a Dynamic-to-Static L2L VPN using certificate authentication.
#
# Certificates:
# The static side will be known as sys-asa01.example.com, so I create a Root CA (root_ca), an
# Intermediate CA (mid_ca) and a identity certificate for sys-asa01.example.com.
#
# The network behind sys-ii-asa00 is 10.254.254.0/255.255.255.248
# The network behind sys-asa01 is 192.168.7.0/255.255.255.0
#
# Installed the root_ca and mid_ca public keys into both ASAs, and install the
# Generate a CSR, sign it with the mid_ca and import it back into the respective
# ASA...
################################################################################
SYS-ASA01# show crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 08
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    [email protected]
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Subject Name:
    [email protected]
    cn=sys-asa01.example.com
    ou=Information Technology
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Validity Date:
    start date: 10:46:12 CST Dec 3 2009
    end   date: 10:46:12 CST Dec 2 2012
  Associated Trustpoints: sys-asa01


CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Issuer Name:
    [email protected]
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    [email protected]
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:16 CST Dec 24 2008
    end   date: 12:31:16 CST Dec 24 2011
  Associated Trustpoints: sys-asa01 example.com-mid_ca


CA Certificate
  Status: Available
  Certificate Serial Number: 009f7176cfd4d4a69b
  Certificate Usage: General Purpose
  Public Key Type: RSA (512 bits)
  Issuer Name:
    [email protected]
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    [email protected]
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:10 CST Dec 24 2008
    end   date: 12:31:10 CST Dec 23 2013
  Associated Trustpoints: example.com-root_ca
             
SYS-ASA01#
################################################################################
sys-ii-asa00# show crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 009f7176cfd4d4a69b
  Certificate Usage: General Purpose
  Public Key Type: RSA (512 bits)
  Issuer Name:
    [email protected]
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    [email protected]
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:10 CST Dec 24 2008
    end   date: 12:31:10 CST Dec 23 2013
  Associated Trustpoints: example.com-root_ca


Certificate  
  Status: Available
  Certificate Serial Number: 06
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    [email protected]
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Subject Name:
    [email protected]
    cn=sys-ii-asa00.example.com
    ou=Information Technology
    o=Company Name
    l=CityName
    st=Tennesee
    c=US
  Validity Date:
    start date: 13:42:41 CST Nov 27 2009
    end   date: 13:42:41 CST Nov 26 2012
  Associated Trustpoints: sys-ii-asa00


CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Issuer Name:
    [email protected]
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    [email protected]
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:16 CST Dec 24 2008
    end   date: 12:31:16 CST Dec 24 2011
  Associated Trustpoints: sys-ii-asa00 example.com-mid_ca
             
sys-ii-asa00#


################################################################################
# Set up the isakmp policies (the same on both ASAs) (some of this is more than I
# need, but there are remote-access vpns on the static ASA as well) since the
# "isakmp policy 150" is the only one that uses rsa-sig, that is the one we'll be
# using for certificates.
################################################################################
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal


################################################################################
# configure the trust points
################################################################################
# sys-ii-asa01#
crypto ca trustpoint example.com-root_ca
enrollment terminal
crl configure
crypto ca trustpoint example.com-mid_ca
enrollment terminal
crl configure
crypto ca trustpoint sys-ii-asa00
revocation-check crl none
enrollment terminal
email [email protected]
subject-name CN=sys-ii-asa00.example.com,OU=Information Technology,O=Company Name,C=US,St=Tennesee,L=CityName,[email protected]
no client-types
crl configure


################################################################################
# SYS-ASA01#
crypto ca trustpoint example.com-root_ca
enrollment terminal
crl configure
crypto ca trustpoint example.com-mid_ca
enrollment terminal
crl configure
crypto ca trustpoint sys-asa01
revocation-check crl none
enrollment terminal
email [email protected]
subject-name CN=sys-asa01.example.com,OU=Information Technology,O=Company Name,C=US,St=Tennesee,L=CityName,[email protected]
keypair sys-asa01.example.com
no client-types
crl configure


################################################################################
# I have static-to-static VPNs, remote-access VPNs, and want certificate
# authenticated dynamic-to-static, I'll need to set identity auto
################################################################################


SYS-ASA01# conf t                    
SYS-ASA01(config)# crypto isakmp identity auto
SYS-ASA01(config)# end
SYS-ASA01#


sys-ii-asa00# conf t
sys-ii-asa00(config)# crypto isakmp identity auto
sys-ii-asa00(config)# end
sys-ii-asa00#


################################################################################
# Since we'll be using certificate authentication, we'll need to create a tunnel
# group named after the remote site's certificate CN (we could do this by OU as
# well, which is the default)
################################################################################


################################################################################
# SYS-ASA01#
conf t
group-policy instant-issue-group-policy internal
group-policy instant-issue-group-policy attributes
vpn-tunnel-protocol IPSec
dns-server value 192.168.7.58
quit
tunnel-group sys-ii-asa00.example.com type ipsec-l2l
tunnel-group sys-ii-asa00.example.com general-attributes
default-group-policy instant-issue-group-policy
quit
tunnel-group sys-ii-asa00.example.com ipsec-attributes
peer-id-validate cert
notrust-point example.com-mid_ca
quit
tunnel-group-map enable rules
crypto ca certificate map 1
subject-name attr cn eq sys-ii-asa00.example.com
quit
tunnel-group-map 1 sys-ii-asa00.example.com
end


################################################################################
# sys-ii-asa00#
conf t
group-policy instant-issue-group-policy internal
group-policy instant-issue-group-policy attributes
vpn-tunnel-protocol IPSec
quit
! tunnel-group sys-asa01.example.com type ipsec-l2l
tunnel-group sys-asa01.example.com general-attributes
default-group-policy instant-issue-group-policy
quit
tunnel-group sys-asa01.example.com ipsec-attributes
peer-id-validate cert
trust-point example.com-mid_ca
quit
tunnel-group-map enable rules
crypto ca certificate map 1
subject-name attr cn eq sys-asa01.example.com
quit
tunnel-group-map 1 sys-asa01.example.com
end


################################################################################
#
################################################################################
# sys-ii-asa01
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.248 192.168.7.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.254.254.0 255.255.255.248 192.168.7.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 74.255.131.2
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 interface outside


# SYS-ASA01
access-list nonat_inside extended permit ip 192.168.7.0 255.255.255.0 10.254.254.0 255.255.255.248
access-list outside_cryptomap_2 extended permit ip 192.168.7.0 255.255.255.0 10.254.254.0 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound


################################################################################
# results
################################################################################
SYS-ASA01#
debug crypto isakmp
debug crypto ca messages
Dec 07 09:37:44 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Can't find a valid tunnel group, aborting...!
Dec 07 09:37:44 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Removing peer from peer table failed, no match!
Dec 07 09:37:44 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Error: Unable to remove PeerTblEntry
Dec 07 09:37:52 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)


sys-ii-asa00#
Dec 07 09:38:30 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed




Any Idea why my IKE keep failing to find the tunnel group? what did I miss?

Ivan Martinon Mon, 12/07/2009 - 08:20
User Badges:
  • Cisco Employee,

Gary,


Under your tunnel group, I can't see you matching the trustpoint on the box:


# SYS-ASA01#
tunnel-group sys-ii-asa00.example.com ipsec-attributes
no trust-point example.com-mid_ca
quit


You should use here the following


# SYS-ASA01#
tunnel-group sys-ii-asa00.example.com ipsec-attributes
trust-point sys-asa01
quit


# sys-ii-asa00#
tunnel-group sys-asa01.example.com ipsec-attributes
trust-point sys-ii-asa00


That is since on both ASA this trustpoint is the one that has both CA and ID certificate, as well on your certificate map, try using the operator co for contains.


Add the level 15 or 25 to both debugs you used for higher detail


debug crypto isakmp 25

debug crypto ca messages 25


Ivan

More information:


################################################################################
# crypto maps
################################################################################


# SYS-ASA01
crypto map vpn 8 ipsec-isakmp dynamic instant-issue-00
crypto map vpn 8 match address outside_cryptomap_2
crypto map vpn 8 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpn interface outside



# sys-ii-asa00
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 74.255.131.2
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 interface outside




################################################################################
#  Static side debug 15 (isakmp & crypto ca)
################################################################################


SYS-ASA01# Dec 07 10:17:14 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing SA payload
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Oakley proposal is acceptable
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Fragmentation VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing IKE SA payload
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 11
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ISAKMP SA payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Fragmentation VID + extended capabilities payload
Dec 07 10:17:14 [IKEv1]: IP = 96.24.196.33, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 10:17:14 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ke payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ISA_KE payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing nonce payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Cisco Unity client VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received xauth V6 VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ke payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing nonce payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Cisco Unity VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing xauth V6 VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Send IOS VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 10:17:14 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Can't find a valid tunnel group, aborting...!
Dec 07 10:17:14 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE MM Responder FSM error history (struct &0xd0feeaf8)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Dec 07 10:17:14 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE SA MM:15f59e3e terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
Dec 07 10:17:14 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, sending delete/delete with reason message
Dec 07 10:17:14 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Removing peer from peer table failed, no match!
Dec 07 10:17:14 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Error: Unable to remove PeerTblEntry
Dec 07 10:17:22 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 10:17:22 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 10:17:30 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 10:17:30 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
no debug crypto isakmp
SYS-ASA01# no debug crypto ca messages
SYS-ASA01#


...

It still doesn't know which tunnel group to use....

Correct Answer
Ivan Martinon Mon, 12/07/2009 - 08:27
User Badges:
  • Cisco Employee,

Are we sure both Peers are using the same isakmp settings? it seems the policy that uses rsa-sig on one end uses a diff DH Group.

Ivan Martinon Mon, 12/07/2009 - 08:27
User Badges:
  • Cisco Employee,

As well the reason it does not find the tunnel group is due to the fact that the certificate map is not finding the att, has it been changed to use co rather than eq?

This is how it looks now. Is this not right?


sys-ii-asa00#
crypto ca certificate map DefaultCertificateMap 1
subject-name attr cn eq sys-asa01.example.com
crypto ca certificate map DefaultCertificateMap 10




SYS-ASA01#
crypto ca certificate map DefaultCertificateMap 1
subject-name attr cn eq sys-ii-asa00.example.com
crypto ca certificate map DefaultCertificateMap 10

Ivan Martinon Mon, 12/07/2009 - 08:56
User Badges:
  • Cisco Employee,

the isakmp policy looks good on both ends, again, the certificate map is ok, but I rather use CO instead of EQ, have the crypto ca debugs enabled, I want to see how is the mapping processed.

I changed eq to co and set debug crypto isakmp 25 and debug crypto ca messages 25 and sent a single ping: attached is the debugs from each side.


SYS-ASA01# debug crypto isakmp 25
SYS-ASA01# debug crypto ca messages 25
SYS-ASA01# Dec 07 11:22:17 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing SA payload
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Oakley proposal is acceptable
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Fragmentation VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing IKE SA payload
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 11
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ISAKMP SA payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:22:17 [IKEv1]: IP = 96.24.196.33, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:22:17 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ke payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ISA_KE payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing nonce payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Cisco Unity client VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received xauth V6 VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ke payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing nonce payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Cisco Unity VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing xauth V6 VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Send IOS VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:22:17 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Can't find a valid tunnel group, aborting...!
Dec 07 11:22:17 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE MM Responder FSM error history (struct &0xd14a21b0)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Dec 07 11:22:17 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE SA MM:28baec2d terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
Dec 07 11:22:17 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, sending delete/delete with reason message
Dec 07 11:22:17 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Removing peer from peer table failed, no match!
Dec 07 11:22:17 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Error: Unable to remove PeerTblEntry
Dec 07 11:22:25 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 11:22:25 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:33 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 11:22:33 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:41 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 11:22:41 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
SYS-ASA01#


################################################################################
sys-ii-asa00# Dec 07 11:19:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.255.131.2  local Proxy Address 10.254.254.0, remote Proxy Address 192.168.7.0,  Crypto map (outside_map1)
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ISAKMP SA payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, processing SA payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Oakley proposal is acceptable
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, processing VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Received Fragmentation VID
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ke payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing nonce payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Cisco Unity VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing xauth V6 VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Send IOS VID
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:19:50 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:19:58 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:06 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:14 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE MM Initiator FSM error history (struct &0xd8b999d0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
Dec 07 11:20:14 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE SA MM:8fbf96d7 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Dec 07 11:20:14 [IKEv1 DEBUG]: IP = 74.255.131.2, sending delete/delete with reason message
Dec 07 11:20:14 [IKEv1]: IP = 74.255.131.2, Removing peer from peer table failed, no match!
Dec 07 11:20:14 [IKEv1]: IP = 74.255.131.2, Error: Unable to remove PeerTblEntry
Dec 07 11:20:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.255.131.2  local Proxy Address 10.254.254.0, remote Proxy Address 192.168.7.0,  Crypto map (outside_map1)
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ISAKMP SA payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, processing SA payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Oakley proposal is acceptable
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, processing VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Received Fragmentation VID
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ke payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing nonce payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Cisco Unity VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing xauth V6 VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Send IOS VID
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:28 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:29 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:30 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:31 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:32 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:33 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:34 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:36 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:59 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE MM Initiator FSM error history (struct &0xd8b999d0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
Dec 07 11:20:59 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE SA MM:3cdf16c7 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Dec 07 11:20:59 [IKEv1 DEBUG]: IP = 74.255.131.2, sending delete/delete with reason message
Dec 07 11:20:59 [IKEv1]: IP = 74.255.131.2, Removing peer from peer table failed, no match!
Dec 07 11:20:59 [IKEv1]: IP = 74.255.131.2, Error: Unable to remove PeerTblEntry
debug crypto isakmp 25
sys-ii-asa00# debug crypto ca messages 25
sys-ii-asa00# Dec 07 11:22:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.255.131.2  local Proxy Address 10.254.254.0, remote Proxy Address 192.168.7.0,  Crypto map (outside_map1)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ISAKMP SA payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, processing SA payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Oakley proposal is acceptable
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Received Fragmentation VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ke payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing nonce payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Cisco Unity VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing xauth V6 VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Send IOS VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:22:49 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE MM Initiator FSM error history (struct &0xd8b999d0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
Dec 07 11:22:49 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE SA MM:ed9498ca terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Dec 07 11:22:49 [IKEv1 DEBUG]: IP = 74.255.131.2, sending delete/delete with reason message
Dec 07 11:22:49 [IKEv1]: IP = 74.255.131.2, Removing peer from peer table failed, no match!
Dec 07 11:22:49 [IKEv1]: IP = 74.255.131.2, Error: Unable to remove PeerTblEntry

If I run the following while it's negotiating I get:



sys-ii-asa00# show crypto isakmp sa detail


   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1   IKE Peer: 74.255.131.2
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG4
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 2147479890




--


Why does it say "Auth: preshared" if I'm using rsa?

Ivan Martinon Mon, 12/07/2009 - 10:44
User Badges:
  • Cisco Employee,

That is because it seems it is negotiating with another isakmp policy using preshared, please go ahead and do the following command on both ASA and paste it here


show run all isakmp

sys-ii-asa00# show run all isakmp
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5    
group 5     
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha    
group 1     
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha    
group 5     
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha    
group 5     
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-256
hash sha    
group 5     
lifetime 86400
crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha    
group 2     
lifetime 86400
no crypto isakmp nat-traversal


SYS-ASA01#
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5    
group 5     
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha    
group 1     
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha    
group 5     
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha    
group 5     
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-256
hash sha    
group 5     
lifetime 86400
crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha    
group 2     
lifetime 86400
no crypto isakmp nat-traversal

Ivan Martinon Mon, 12/07/2009 - 11:20
User Badges:
  • Cisco Employee,

As you can see, there are several policies that match on both sides before it goes to rsa-sig (policy 150), since they will both send their policies and match with the first one that is there and that matches all values, then it will match, in this case with policy 10, and so on... before it goes to policy 150, my advise is that if on the dynamic you do not have the need of using all of those policies just leave the rsa-sig, or if you do need to use the other presahre policies move it on top of the list on the ASA.

on the dynamic side I removed all of them and added:


crypto isakmp policy 5
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400



I then added the same policy ( at priority 5, before everything else ) and now the dynamic side says:


sys-ii-asa00# show debug
debug crypto ca messages enabled at level 25
debug crypto isakmp enabled at level 25
eft-ii-asa00# Dec 07 13:40:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 13:40:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Dec 07 13:40:53 [IKEv1]: Removing peer from peer table failed, no match!
Dec 07 13:40:53 [IKEv1]: Error: Unable to remove PeerTblEntry



and the static side says nothing at the same debug level

Ivan Martinon Mon, 12/07/2009 - 11:45
User Badges:
  • Cisco Employee,

isakmp enable outside is on right? can you post your show run from both sides pls?

Ivan Martinon Mon, 12/07/2009 - 14:19
User Badges:
  • Cisco Employee,

Ok, so there are 2 things I would change, one on the SYS-ASA01, that is having the dynamic tunnel on the very end of the crypto map statements:



crypto map vpn 8 ipsec-isakmp dynamic instant-issue-00 ------This move it down
crypto map vpn 10 match address 205.255.226.10
crypto map vpn 10 set peer 205.255.226.10
crypto map vpn 10 set transform-set AES-SHA
crypto map vpn 10 set security-association lifetime seconds 28800
crypto map vpn 10 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside


crypto map vpn 65535 ipsec-isakmp dynamic instant-issue-00


On the sys-ii-asa00 go ahead and add the following:


crypto map outside_map1 1 set trustopoint sys-ii-asa00

As well, please add the following debug too

debug crypto ca transactions 25

ON both sides please

################################################################################


I moved 8->65535


crypto map vpn 65535 ipsec-isakmp dynamic instant-issue-00
crypto dynamic-map instant-issue-00 65535 match address outside_cryptomap_2
crypto dynamic-map instant-issue-00 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5


I keep seeing things like: Dec 07 17:27:02 [IKEv1]: Ignoring msg to mark SA with specified coordinates dead
when I configure it.


and added:


crypto map outside_map1 1 set trustpoint sys-ii-asa00


to sys-ii-asa00, but it's truspoint for this vpn is sys-asa01, isn't it?


################################################################################
when I ping:


SYS-ASA01# show debug
debug crypto ca messages enabled at level 25
debug crypto ca transactions enabled at level 25
debug crypto isakmp enabled at level 25
SYS-ASA01#



sys-ii-asa00# show debug
debug crypto ca messages enabled at level 25
debug crypto ca transactions enabled at level 25
debug crypto isakmp enabled at level 25
sys-ii-asa00# Dec 07 17:30:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 17:30:49 [IKEv1]: Initiator failed to open cert context
Dec 07 17:30:49 [IKEv1]: Removing peer from peer table failed, no match!
Dec 07 17:30:49 [IKEv1]: Error: Unable to remove PeerTblEntry



that's all I see.

Actions

This Discussion