06-30-2011 02:22 PM - edited 03-11-2019 01:53 PM
Hello,
I am trying to establish a tunnel with a NetGear VPN appliance, and am receiving the error: Unknown identification type, Phase 2, Type 7.
Here is the config specific to the tunnel:
name 10.200.139.192 CNN description CNN Internal Network
name 10.10.0.0 CNN_RemoteLocalNet description CNN Internal Remote Network
access-list CNN_Tunnel extended permit ip CNN 255.255.255.192 CNN_RemoteLocalNet 255.255.255.0
crypto isakmp identity address
crypto map outside_map 181 match address CNN_Tunnel
crypto map outside_map 181 set peer x.x.x.x
crypto map outside_map 181 set transform-set ESP-3DES-SHA
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key ****
Here is the debug (I blanked out the remote IP):
Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 160
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing SA payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Oakley proposal is acceptable
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received NAT-Traversal RFC VID
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715049: IP = x.x.x.x, Received DPD VID
Jun 30 14:09:52 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing IKE SA payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715028: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ISAKMP SA payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Jun 30 14:09:52 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 248
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ke payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing ISA_KE payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing nonce payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: IP = x.x.x.x, processing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing ke payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing nonce payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing Cisco Unity VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing xauth V6 VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send IOS VID
Jun 30 14:09:53 10.200.3.10 %ASA-7-715038: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing VID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715048: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: IP = x.x.x.x, constructing NAT-Discovery payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, computing NAT Discovery hash
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, Generating keys for Responder...
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received
x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Jun 30 14:09:53 10.200.3.10 %ASA-6-713172: Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jun 30 14:09:53 10.200.3.10 %ASA-7-713906: IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-4-713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing ID payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing hash payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715076: Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Jun 30 14:09:53 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 30 14:09:53 10.200.3.10 %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x
Jun 30 14:09:53 10.200.3.10 %ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
Jun 30 14:09:53 10.200.3.10 %ASA-7-713121: IP = x.x.x.x, Keep-alive type for this connection: DPD
Jun 30 14:09:53 10.200.3.10 %ASA-7-715080: Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 21600 seconds.
Jun 30 14:09:53 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=c4230ffe) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jun 30 14:09:53 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-714003: IP = x.x.x.x, IKE Responder starting QM: msg id = 9f8b4c66
Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=9f8b4c66) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing SA payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing nonce payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ke payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, processing ISA_KE for PFS in phase 2
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-714011: Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.10.0.0--255.255.255.0
Jun 30 14:09:54 10.200.3.10 %ASA-7-713035: Group = x.x.x.x, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload: Address 10.10.0.0, Mask 255.255.255.0, Protocol 0, Port 0
Jun 30 14:09:54 10.200.3.10 %ASA-7-715047: Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Jun 30 14:09:54 10.200.3.10 %ASA-3-713016: Group = x.x.x.x, IP = x.x.x.x, Unknown identification type, Phase 2, Type 7
Jun 30 14:09:54 10.200.3.10 %ASA-3-713048: Group = x.x.x.x, IP = x.x.x.x, Error processing payload: Payload ID: 5
Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0xbb855580, mess id 0x9f8b4c66)!
Jun 30 14:09:54 10.200.3.10 %ASA-7-715065: Group = x.x.x.x, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xbb855580) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Jun 30 14:09:54 10.200.3.10 %ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:2defb47b terminating: flags 0x01010002, refcnt 0, tuncnt 0
Jun 30 14:09:54 10.200.3.10 %ASA-7-713906: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing IKE delete payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-715046: Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jun 30 14:09:54 10.200.3.10 %ASA-7-713236: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=2855955e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 30 14:09:54 10.200.3.10 %ASA-4-113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Jun 30 14:10:04 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
Jun 30 14:10:14 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
Jun 30 14:10:25 10.200.3.10 %ASA-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
07-04-2011 02:32 AM
You only mention that you have a NetGear device? Do you have a Cisco device in the configuration?
THANKS
Rick Roe
Cisco Small Business Support Center
07-07-2011 09:43 AM
Yes, I have a Cisco ASA5540, trying to connect to a Netgear SRX5308 on the other side of the tunnel.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: