One S2S VPN connection fails to establish phase one:
See here the ISAKMP debug:
Feb 13 12:04:19 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing SA payload
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Oakley proposal is acceptable
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Received NAT-Traversal RFC VID
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Received DPD VID
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing IKE SA payload
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 18
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing ISAKMP SA payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing NAT-Traversal VID ver RFC payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing Fragmentation VID + extended capabilities payload
Feb 13 12:04:19 [IKEv1]: IP = 212.25.16.121, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Feb 13 12:04:20 [IKEv1]: IP = 62.2.198.34, IKE_DECODE RECEIVED Message (msgid=40f24c97) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + UNKNOWN (20), *** ERROR *** + UNKNOWN (20), *** ERROR *** + NONE (0) total length : 296
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing ke payload
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing ISA_KE payload
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing nonce payload
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 41
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE MM Responder FSM error history (struct &0x72a8208) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2-->MM_BLD_MSG2, EV_CREATE_TMR
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA MM:eb111f2f terminating: flags 0x01000002, refcnt 0, tuncnt 0
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, sending delete/delete with reason message
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, Removing peer from peer table failed, no match!
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, Error: Unable to remove PeerTblEntry
Cannot find any misconfiguration on our side. The remote side is a Zywall.
This connection used to work for quite a while and failed about 2 weeks ago.
What causes this problem?
