02-13-2012 05:44 AM
One S2S VPN connection fails to establish phase one:
See here the ISAKMP debug:
Feb 13 12:04:19 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing SA payload
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Oakley proposal is acceptable
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Received NAT-Traversal RFC VID
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, Received DPD VID
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing VID payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, processing IKE SA payload
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 18
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing ISAKMP SA payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing NAT-Traversal VID ver RFC payload
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, constructing Fragmentation VID + extended capabilities payload
Feb 13 12:04:19 [IKEv1]: IP = 212.25.16.121, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Feb 13 12:04:20 [IKEv1]: IP = 62.2.198.34, IKE_DECODE RECEIVED Message (msgid=40f24c97) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + UNKNOWN (20), *** ERROR *** + UNKNOWN (20), *** ERROR *** + NONE (0) total length : 296
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing ke payload
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing ISA_KE payload
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, processing nonce payload
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 41
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE MM Responder FSM error history (struct &0x72a8208) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2-->MM_BLD_MSG2, EV_CREATE_TMR
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA MM:eb111f2f terminating: flags 0x01000002, refcnt 0, tuncnt 0
Feb 13 12:04:20 [IKEv1 DEBUG]: IP = 212.25.16.121, sending delete/delete with reason message
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, Removing peer from peer table failed, no match!
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, Error: Unable to remove PeerTblEntry
Cannot find any misconfiguration on our side. The remote side is a Zywall.
This connection used to work for quite a while and failed about 2 weeks ago.
What causes this problem?
02-13-2012 07:26 AM
Seems to missmatched DH group.
Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Please try to change DH group to 5 at this end and see the results.
Thanks
Ajay
02-13-2012 07:51 AM
Please make sure, that you have isakmp policy are configured same at both end.
FYI...
If you use DES, you need to use MD5 for the hash algorithm.
copy your policies on the forum.
thanks
02-13-2012 08:45 AM
At the beginning I taught also this is the problem. But, the negotiation does not stop at that point. Some lines further down in the trace you will find:
Feb 13 12:04:19 [IKEv1 DEBUG]: IP = 212.25.16.121, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 18
Our Box has more than 20 diffrent proposal and # 18 matches.
This is entry:
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
The negotiation process stops later after the massage:
Feb 13 12:04:20 [IKEv1]: IP = 212.25.16.121, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + UNKNOWN (20), *** ERROR *** + UNKNOWN (20), *** ERROR *** + NONE (0) total length : 296
The customer gets the following:
3 2012-02-13 17:24:51 IKE Negotiation is in process 212.xx.xx.xx 194.56.0.58 IKE
4 2012-02-13 17:24:51 The cookie pair is : 0xA41F922AB9DC2E7E / 0x0F6E1217BB737BF9 212.xx.xx.xx 194.56.0.58 IKE
5 2012-02-13 17:24:47 Send:[NOTFY:ERR_PAYLOAD_TYPE] 212.xx.xx.xx 194.xx.xx.xx IKE
6 2012-02-13 17:24:47 The cookie pair is : 0xA41F922AB9DC2E7E / 0x0F6E1217BB737BF9 212.xx.xx.xx 194.xx.xx.xx IKE
7 2012-02-13 17:24:47 Recv:[NOTFY:ERR_PAYLOAD_TYPE] 194.xx.xx.xx 212.xx.xx.xx IKE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide