Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

S2S VPN fails to establish phase 1

One S2S VPN connection fails to establish phase one:

See here the ISAKMP debug:

Feb 13 12:04:19 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing SA payload

Feb 13 12:04:19 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Feb 13 12:04:19 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Feb 13 12:04:19 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Oakley proposal is acceptable

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Received NAT-Traversal RFC VID

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Received DPD VID

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing IKE SA payload

Feb 13 12:04:19 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Feb 13 12:04:19 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Feb 13 12:04:19 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 18

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing ISAKMP SA payload

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing NAT-Traversal VID ver RFC payload

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing Fragmentation VID + extended capabilities payload

Feb 13 12:04:19 [IKEv1]: IP = 212.25.16.121, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Feb 13 12:04:20 [IKEv1]: IP = 62.2.198.34, IKE_DECODE RECEIVED Message (msgid=40f24c97) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + UNKNOWN (20), *** ERROR *** + UNKNOWN (20), *** ERROR *** + NONE (0) total length : 296

Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing ke payload

Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing ISA_KE payload

Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing nonce payload

Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 41

Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE MM Responder FSM error history (struct &0x72a8208)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2-->MM_BLD_MSG2, EV_CREATE_TMR

Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA MM:eb111f2f terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, sending delete/delete with reason message

Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, Removing peer from peer table failed, no match!

Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, Error: Unable to remove PeerTblEntry

Cannot find any misconfiguration on our side. The remote side is a Zywall.

This connection used to work for quite a while and failed about 2 weeks ago.

What causes this problem?

3 REPLIES

S2S VPN fails to establish phase 1

Seems to missmatched DH group.

Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Please try to change DH group to 5 at this end and see the results.

Thanks

Ajay

S2S VPN fails to establish phase 1

Please make sure, that you have isakmp policy are configured same at both end.

FYI...

If you use DES, you need to use MD5 for the hash algorithm.

copy your policies on the forum.

thanks

New Member

S2S VPN fails to establish phase 1

At the beginning I taught also this is the problem. But, the  negotiation does not stop at that point. Some lines further down in the  trace you will find:

Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 18

Our Box has more than 20 diffrent proposal and # 18 matches.

This is entry:

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

The negotiation process stops later after the massage:

Feb  13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message  (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + UNKNOWN (20), ***  ERROR *** + UNKNOWN (20), *** ERROR *** + NONE (0) total length : 296

The customer gets the following:

3 2012-02-13 17:24:51 IKE Negotiation is in process 212.xx.xx.xx 194.56.0.58 IKE

4 2012-02-13 17:24:51 The cookie pair is : 0xA41F922AB9DC2E7E / 0x0F6E1217BB737BF9 212.xx.xx.xx 194.56.0.58 IKE

5 2012-02-13 17:24:47 Send:[NOTFY:ERR_PAYLOAD_TYPE] 212.xx.xx.xx 194.xx.xx.xx IKE

6 2012-02-13 17:24:47 The cookie pair is : 0xA41F922AB9DC2E7E / 0x0F6E1217BB737BF9 212.xx.xx.xx 194.xx.xx.xx IKE

7 2012-02-13 17:24:47 Recv:[NOTFY:ERR_PAYLOAD_TYPE] 194.xx.xx.xx 212.xx.xx.xx IKE

11854
Views
0
Helpful
3
Replies
CreatePlease to create content