×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN phase1 flapping issue

Unanswered Question
Apr 16th, 2014
User Badges:

Hi ,

 

 I have 5 S2S vpn configured on ASA ; from last two days  am observing Phase1 flapping .

However when i do debug crypto iskamp 127 or 200 am getting logs like below.

 

[IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1

Apr 17 00:15:55 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5

 

My configuration for the VPN Phase 1 is :-......

 

fw-999967-353904/pri/act# sh run  crypto isakmp

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 86400

crypto isakmp policy 40

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption 3des

 hash md5

 group 1

 lifetime 28800

crypto isakmp ipsec-over-tcp port 10000

 

i can not check other site configuration ..

 

anyone please suggest me to get rid of this problem.

 

 

Thanks

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rudy Sanjoko Thu, 04/17/2014 - 01:18
User Badges:
  • Silver, 250 points or more

It's saying that you received DH group 5 from neighbor and what you have configured is group 2 and group 1. There is also one log saying that you receive group 2 but what you have is group 5. So if you can't change the config on the other site, the best way is to change your site to match the other site. You will need to modify above isakmp policies.

Gajendra R' Thu, 04/17/2014 - 01:25
User Badges:

hi I have tried to configure ISAKMP with Group 2 and Group 5...at my end but unfortunately not resolved ...could you please suggest me that what config i need to configure at my end..

 

as i have tried with

 


crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400


crypto isakmp policy 2
 authentication pre-share
 encryption 3Des
 hash md5
 group 2
 lifetime 86400

 


crypto isakmp policy 3
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

 

 

Poonam Garg Thu, 04/17/2014 - 02:55
User Badges:
  • Silver, 250 points or more

"when we create a site to site tunnel, we use the DH group 2, because it is a site to site with pre-shared-keys. The DH group 5 it is used when we want to use certificates."

Reference:http://dgablog.dyndns.org/2014/03/04/ikev1phase-1-failure-mismatched-att...

 

This is common when certificate based authentication has been enabled within the connection profile on the ASA but the default IKEv1 policies used to negotiate the necessary Phase 1 information are configured only for pre-shared key information. In this instance, we have to use the information to add a new IKEv1 policy using AES-256, SHA, and RSA-SIG authentication with the default lifetimes. Afterward, the IPsec client can now connect successfully.

You need to use rsa-sig as authentication method on your ASA to fix this problem.

 

HTH

"Kindly rate helpful posts"

syed kazim abbas Tue, 04/22/2014 - 23:54
User Badges:
  • Bronze, 100 points or more

the above configuration should work as shown in logs, if not then u have to check other end or

put all policy combination which is possible,

nothing else

 

HTH

"Kindly rate helpful posts"

Actions

This Discussion