06-12-2010 05:50 PM
When site a connects to site b, I see the message below during Phase 1.
I have tried to figure out what it means, but with no success.
Could someone help, please?
Config files are below
Error message:-
Local4.Notice 210.0.0.100 %ASA-5-713904: IP = 83.104.158.217, Received encrypted packet with no matching SA, dropping
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice 210.0.0.100 %ASA-5-713119: Group = 83.104.158.217, IP = 83.104.158.217, PHASE 1 COMPLETED
06-13-2010 01:38 AM
Local4.Notice 210.0.0.100 %ASA-5-713904: IP = 83.104.158.217, Received encrypted packet with no matching SA, dropping
means excrypted packet without a matching SPI arrived and was dropped
Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
The error means that group setting for Diffie-Hellman on both sides mismatched.
In parctice it mean that we did not negotiaite phase 1 settings:
in your config
---------
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
---------
---------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
---------
please note that phase 1 completes....
Local4.Notice 210.0.0.100 %ASA-5-713119: Group = 83.104.158.217, IP = 83.104.158.217, PHASE 1 COMPLETED
-------------
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0
crypto map outside_map 80 match address outside_80_cryptomap_1
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 83.217
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set reverse-route
-------------
while the other side
-------------
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 210.0.0.0 0.0.0.255
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.46
set peer 217.46
set transform-set ESP-3DES-SHA1
set pfs group2
match address 104
reverse-route
------------
Setting seems to match ... we'd need more debugs ... if the tunnel fails to establish .... or maybe see if NAT traversal is initialised ...
06-13-2010 01:56 PM
I will be at that site again in a few days so will post a debug then!
It seems to me that the 871 proposes group 1 - and the ASA accepts this - deispite waht is shown in the configs?
06-15-2010 08:08 AM
06-15-2010 08:42 AM
Any chance we can get debugs from both sides at the same time?
It looks like ASA part is going through connection OK. we're landing on tunnel-group 83.104.158.217 ....
I've also noticed that the IP address of ASA in crypto isakmp key is the only one without no-xauth configured.
edit no2.
To effectively debug only those sides "deb crypto cond ..."
edit no3.
Did we debug ipsec too?
No phase 2 initiation seen on ASA - means the initiator (router) prbably screwed about somwehere before MM6 and QM1 .. so xauth or identifies.
06-16-2010 03:00 PM
I will try to get a debug on the other side when I next vist that site - though it may not be for a few weeks!
06-16-2010 11:10 PM
To avoid delays, let's even get too much.
Router:
1) Change crypto isakmp key statment to "no-xauth"
2)
deb crypto cond peer ipv4 ...
deb cry isa
deb crypto ipsec
deb cry kmi
3) Show cryto isa sa
4) show crypto ipsec sa
ASA
1)
deb crypto condition peer
deb cry isa 100
deb cryp ips 100
2) show cry isa
If you're interested we might think of a backup solution ... like GRE over IPsec/VTI we can put in there just so you don't have to go there more then once, or not with that of an urgency
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide