Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Phase 2 type code table needed

Hi, we have the following error with a L2L tunnel between ASA 5540 ver 8.0(3) and a Sonicwall:

<163>%ASA-3-713016: Group = x.y.z.w, IP = x.y.z.w, Unknown identification type, Phase 2, Type 7

What does it mean ?

Do you have a phase 2 type code table ?

thanks

6 REPLIES
New Member

Re: Phase 2 type code table needed

VPN tunnel between ASA and Sonicwall is failing in phase II. The logs indicate that the crypto ACL is not matching, hence the tunnel is failing. Unknown identification type, Phase 2, Type 7

New Member

Phase 2 type code table needed

Hi dsweeny, I had same issue like poster of the thread, and your suggestion resolved my issues, thank you very much

New Member

Re: Phase 2 type code table needed

Hi,

Have you resolved the issue. If so please let me know the solution, since i do have the same problem when i do an Site-2-Site VPN tunnel between Sonicwall to ASA 5520 ver 8.0(4)

Thanks in advance

Bronze

Re: Phase 2 type code table needed

RFC 2407:

       ID Type                   Value
       -------                   -----
       RESERVED                            0
       ID_IPV4_ADDR                        1
       ID_FQDN                             2
       ID_USER_FQDN                        3
       ID_IPV4_ADDR_SUBNET                 4
       ID_IPV6_ADDR                        5
       ID_IPV6_ADDR_SUBNET                 6
       ID_IPV4_ADDR_RANGE                  7
       ID_IPV6_ADDR_RANGE                  8
       ID_DER_ASN1_DN                      9
       ID_DER_ASN1_GN                      10
       ID_KEY_ID                           11

http://www.ietf.org/rfc/rfc2407.txt

ASA will only support ID_IPV4_ADDR and ID_IPV4_ADDR_SUBNET when you're specifying proxy ID information AFAIK

New Member

Re: Phase 2 type code table needed

Whenever you are peering between multiple vendors, make sure you set the proxy-id in the remote non-cisco vendor. Faced this issue a couple of times.

New Member

Phase 2 type code table needed

I got this problem too. We have a ASA 5580 - 8.2 that is used with VPN.

Our ASA --> Sonic Wall => Phase 1 and 2 are ok.

Sonic Wall --> Our ASA ==> Phase 1 ok and Phase 2 shows the same message.

So I asked to SonicWall admin check if they are sending correct Local and Remote Address.

Maybe it´s the Remote Address on their side because we have two hosts on our local network and the ID is showing that they are sending a IP range instead of 2 hosts (or two ip/32).

If it doesn´t solve, next try will be the proxy-id.

5233
Views
5
Helpful
6
Replies
CreatePlease to create content