cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2465
Views
0
Helpful
2
Replies

L2L VPN: Unknown identification type, Phase 2, Type 7

dhawkes
Level 1
Level 1

Hello,

I am trying to establish a tunnel with a NetGear VPN appliance, and am receiving the error: Unknown identification type, Phase 2, Type 7.

Here is the config specific to the tunnel:

name 10.200.139.192 CNN description CNN Internal Network

name 10.10.0.0 CNN_RemoteLocalNet description CNN Internal Remote Network

access-list CNN_Tunnel extended permit ip CNN 255.255.255.192 CNN_RemoteLocalNet 255.255.255.0

crypto isakmp identity address

crypto map outside_map 181 match address CNN_Tunnel

crypto map outside_map 181 set peer x.x.x.x

crypto map outside_map 181 set transform-set ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key ****

Here is the debug (I blanked out the remote IP):

Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 160

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing SA payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Oakley proposal is acceptable

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal RFC VID

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received DPD VID

Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing IKE SA payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715028: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8

Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ISAKMP SA payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload

Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 248

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ke payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing nonce payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ke payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing nonce payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Cisco Unity VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing xauth V6 VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send IOS VID

Jun 30 14:09:53 10.200.3.10 %ASA-7-715038: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing VID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, Generating keys for Responder...

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received

x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP

Jun 30 14:09:53 10.200.3.10 %ASA-6-713172: Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing ID payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing hash payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP

Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

Jun 30 14:09:53 10.200.3.10 %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x

Jun 30 14:09:53 10.200.3.10 %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

Jun 30 14:09:53 10.200.3.10 %ASA-7-713121: IP = x.x.x.x, Keep-alive type for this connection: DPD

Jun 30 14:09:53 10.200.3.10 %ASA-7-715080: Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 21600 seconds.

Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=c4230ffe) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing notify payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-714003: IP = x.x.x.x, IKE Responder starting QM: msg id = 9f8b4c66

Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=9f8b4c66) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing SA payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing nonce payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ke payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.10.0.0--255.255.255.0

Jun 30 14:09:54 10.200.3.10 %ASA-7-713035: Group = x.x.x.x, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload:   Address 10.10.0.0, Mask 255.255.255.0, Protocol 0, Port 0

Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload

Jun 30 14:09:54 10.200.3.10 %ASA-3-713016: Group = x.x.x.x, IP = x.x.x.x, Unknown identification type, Phase 2, Type 7

Jun 30 14:09:54 10.200.3.10 %ASA-3-713048: Group = x.x.x.x, IP = x.x.x.x, Error processing payload: Payload ID: 5

Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xbb855580, mess id 0x9f8b4c66)!

Jun 30 14:09:54 10.200.3.10 %ASA-7-715065: Group = x.x.x.x, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xbb855580)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b rcv'd Terminate: state MM_ACTIVE  flags 0x00010042, refcnt 1, tuncnt 0

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b terminating:  flags 0x01010002, refcnt 0, tuncnt 0

Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing IKE delete payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload

Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=2855955e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Jun 30 14:09:54 10.200.3.10 %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

Jun 30 14:10:04 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Jun 30 14:10:14 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Jun 30 14:10:25 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

2 Replies 2

riroe
Level 3
Level 3

You only mention that you have a NetGear device?  Do you have a Cisco device in the configuration?

THANKS

Rick Roe

Cisco Small Business Support Center

Yes, I have a Cisco ASA5540, trying to connect to a Netgear SRX5308 on the other side of the tunnel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: