Error between Cisco 871 and ASA 5505 - Phase 1 failure: Mismatched attribute types for class

mawallace · ‎06-12-2010

When site a connects to site b, I see the message below during Phase 1.

I have tried to figure out what it means, but with no success.

Could someone help, please?

Config files are below

Error message:-
Local4.Notice      210.0.0.100      %ASA-5-713904: IP = 83.104.158.217, Received encrypted packet with no matching SA, dropping
Local4.Notice       210.0.0.100      %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice      210.0.0.100      %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description:   Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice      210.0.0.100       %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice       210.0.0.100      %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice      210.0.0.100      %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description:   Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice      210.0.0.100       %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice       210.0.0.100      %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice      210.0.0.100      %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description:   Rcv'd: Group 1 Cfg'd: Group 2
Local4.Notice      210.0.0.100       %ASA-5-713119: Group = 83.104.158.217, IP = 83.104.158.217, PHASE 1 COMPLETED

Marcin Latosiewicz · ‎06-13-2010

Local4.Notice 210.0.0.100 %ASA-5-713904: IP = 83.104.158.217, Received encrypted packet with no matching SA, dropping

means excrypted packet without a matching SPI arrived and was dropped

Local4.Notice 210.0.0.100 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

The error means that group setting for Diffie-Hellman on both sides mismatched.

In parctice it mean that we did not negotiaite phase 1 settings:

in your config

---------

crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

---------

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

---------

please note that phase 1 completes....

Local4.Notice 210.0.0.100 %ASA-5-713119: Group = 83.104.158.217, IP = 83.104.158.217, PHASE 1 COMPLETED

-------------
access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0

crypto map outside_map 80 match address outside_80_cryptomap_1
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 83.217
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set reverse-route

-------------

while the other side

-------------

access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 210.0.0.0 0.0.0.255

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to217.46
set peer 217.46
set transform-set ESP-3DES-SHA1
set pfs group2
match address 104
reverse-route

------------

Setting seems to match ... we'd need more debugs ... if the tunnel fails to establish .... or maybe see if NAT traversal is initialised ...

mawallace · ‎06-13-2010

I will be at that site again in a few days so will post a debug then!

It seems to me that the 871 proposes group 1 - and the ASA accepts this - deispite waht is shown in the configs?

mawallace · ‎06-15-2010

Debug attached!

Marcin Latosiewicz · ‎06-15-2010

Any chance we can get debugs from both sides at the same time?

It looks like ASA part is going through connection OK. we're landing on tunnel-group 83.104.158.217 ....

I've also noticed that the IP address of ASA in crypto isakmp key is the only one without no-xauth configured.

edit no2.

To effectively debug only those sides "deb crypto cond ..."

edit no3.

Did we debug ipsec too?

No phase 2 initiation seen on ASA - means the initiator (router) prbably screwed about somwehere before MM6 and QM1 .. so xauth or identifies.

mawallace · ‎06-16-2010

I will try to get a debug on the other side when I next vist that site - though it may not be for a few weeks!

Marcin Latosiewicz · ‎06-16-2010

To avoid delays, let's even get too much.

Router:

1) Change crypto isakmp key statment to "no-xauth"

2)

deb crypto cond peer ipv4 ...

deb cry isa

deb crypto ipsec

deb cry kmi

3) Show cryto isa sa

4) show crypto ipsec sa

ASA

1)

deb crypto condition peer

deb cry isa 100

deb cryp ips 100

2) show cry isa

If you're interested we might think of a backup solution ... like GRE over IPsec/VTI we can put in there just so you don't have to go there more then once, or not with that of an urgency