IKEv1 TS 1 - Phase1 and pre-shared key mismatch

-

1. Phase I parameter (encryption, hash or group)  mismatch

lifetime doesn't have to be matched between ASAs

Initiator

Buffer log:
Jan 20 2020 15:38:40: %ASA-4-713903: IP = 10.0.0.2, Information Exchange processing failed
Jan 20 2020 15:38:48: %ASA-4-713903: IP = 10.0.0.2, Information Exchange processing failed

Jan 20 2020 15:39:12: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = MAP.  Map Sequence Number = 10.

Jan 20 2020 15:39:12: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= MAP.  Map Sequence Number = 10.


Debug:
ASAv1# Dec 23 17:25:59 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0,  Crypto map (MAP)
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ISAKMP SA payload
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 03 payload
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver RFC payload
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, constructing Fragmentation VID + extended capabilities payload
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 23 17:25:59 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, Information Exchange processing failed

Initiator stuck at MSG2
ASAv1# sh crypto isakmp sa


IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.0.2
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

There are no IKEv2 SAs
ASAv1#


Responder:

Buffer log:
Jan 20 2020 15:38:40: %ASA-3-713048: IP = 10.0.0.1, Error processing payload: Payload ID: 1

Jan 20 2020 15:38:48: %ASA-3-713048: IP = 10.0.0.1, Error processing payload: Payload ID: 1

Debug:
ASAv2# Dec 23 17:25:59 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, processing SA payload
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, All SA proposals found unacceptable
Dec 23 17:25:59 [IKEv1]IP = 10.0.0.1, Error processing payload: Payload ID: 1
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, IKE MM Responder FSM error history (struct &0x00007f48d93d5820)  , :  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, IKE SA MM:ac9d3dca terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.1, sending delete/delete with reason message


Responder doesn't show anything.
ASAv2# sh crypto isakmp sa

 There are no IKEv1 SAs

 There are no IKEv2 SAs
ASAv2#



Pre-shared key mismatch

validate at packet 5 and 6

Initiator

Buffer Log:
Jan 20 2020 15:49:12: %ASA-4-713903: Group = 10.0.0.2, IP = 10.0.0.2, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
Jan 20 2020 15:49:12: %ASA-4-713903: Group = 10.0.0.2, IP = 10.0.0.2, Information Exchange processing failed
Jan 20 2020 15:49:20: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = MAP.  Map Sequence Number = 10.
Jan 20 2020 15:49:20: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= MAP.  Map Sequence Number = 10.

Debug:
ASAv1# Dec 23 17:43:22 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0,  Crypto map (MAP)
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ISAKMP SA payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 02 payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver 03 payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Traversal VID ver RFC payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing Fragmentation VID + extended capabilities payload
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 23 17:43:22 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing SA payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Oakley proposal is acceptable
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received NAT-Traversal RFC VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received Fragmentation VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ke payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing nonce payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing Cisco Unity VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing xauth V6 VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Send IOS VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Discovery payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, constructing NAT-Discovery payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Dec 23 17:43:22 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing ke payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing ISA_KE payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing nonce payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received Cisco Unity client VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received xauth V6 VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing VID payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing NAT-Discovery payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, processing NAT-Discovery payload
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, computing NAT Discovery hash
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, Connection landed on tunnel_group 10.0.0.2
Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, Generating keys for Initiator...
Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing ID payload
Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing hash payload
Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, Computing hash for ISAKMP
Dec 23 17:43:22 [IKEv1 DEBUG]IP = 10.0.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Dec 23 17:43:22 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing dpd vid payload
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Dec 23 17:43:22 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Dec 23 17:43:22 [IKEv1]IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Received an un-encrypted PAYLOAD_MALFORMED notify message, dropping
Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
Dec 23 17:43:22 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Information Exchange processing failed
Dec 23 17:43:30 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, P1 Retransmit msg dispatched to MM FSM
Dec 23 17:43:30 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, P1 Retransmit msg dispatched to MM FSM
Dec 23 17:43:30 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Dec 23 17:43:30 [IKEv1]Group = 10.0.0.2, IP = 10.0.0.2, P1 Retransmit msg dispatched to MM FSM
Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, IKE MM Initiator FSM error history (struct &0x00007f6f994ab5e0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_RESEND_MSG-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, IKE SA MM:eb258b2c terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, sending delete/delete with reason message
Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing blank hash payload
Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing IKE delete payload
Dec 23 17:43:30 [IKEv1 DEBUG]Group = 10.0.0.2, IP = 10.0.0.2, constructing qm hash payload
Dec 23 17:43:30 [IKEv1]IP = 10.0.0.2, IKE_DECODE SENDING Message (msgid=6373ab0c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Dec 23 17:43:38 [IKEv1]IKE Receiver: Packet received on 10.0.0.1:500 from 10.0.0.2:500
Dec 23 17:43:38 [IKEv1]IP = 10.0.0.2, Received encrypted packet with no matching SA, dropping

Initiator stucks at MSG6
ASAv1# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.0.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG6

There are no IKEv2 SAs

Responder:

Buffer log:

Jan 20 2020 15:49:12: %ASA-4-713903: Group = 10.0.0.1, IP = 10.0.0.1, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting

Debug:
ASAv2# Dec 23 17:43:23 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing SA payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Oakley proposal is acceptable
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received NAT-Traversal ver 02 VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received NAT-Traversal ver 03 VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received NAT-Traversal RFC VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received Fragmentation VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing IKE SA payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing ISAKMP SA payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing NAT-Traversal VID ver RFC payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing Fragmentation VID + extended capabilities payload
Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 23 17:43:23 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing ke payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing ISA_KE payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing nonce payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received Cisco Unity client VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received xauth V6 VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing NAT-Discovery payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, processing NAT-Discovery payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing ke payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing nonce payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing Cisco Unity VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing xauth V6 VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Send IOS VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing VID payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing NAT-Discovery payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, constructing NAT-Discovery payload
Dec 23 17:43:23 [IKEv1 DEBUG]IP = 10.0.0.1, computing NAT Discovery hash
Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, Connection landed on tunnel_group 10.0.0.1
Dec 23 17:43:23 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, Generating keys for Responder...
Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Dec 23 17:43:23 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:23 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
Dec 23 17:43:23 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Dec 23 17:43:23 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting
Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, P1 Retransmit msg dispatched to MM FSM
Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, P1 Retransmit msg dispatched to MM FSM
Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Dec 23 17:43:31 [IKEv1]Group = 10.0.0.1, IP = 10.0.0.1, P1 Retransmit msg dispatched to MM FSM
Dec 23 17:43:31 [IKEv1]IKE Receiver: Packet received on 10.0.0.2:500 from 10.0.0.1:500
Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, IKE MM Responder FSM error history (struct &0x00007f48d93d5820)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG
Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, IKE SA MM:ce3b8de9 terminating:  flags 0x0104c002, refcnt 0, tuncnt 0
Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, sending delete/delete with reason message
Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, constructing blank hash payload
Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, constructing IKE delete payload
Dec 23 17:43:39 [IKEv1 DEBUG]Group = 10.0.0.1, IP = 10.0.0.1, constructing qm hash payload

Dec 23 17:43:39 [IKEv1]IP = 10.0.0.1, IKE_DECODE SENDING Message (msgid=17825a31) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Responder stucks at MSG5
ASAv2# sh crypto isakmp sa

 IKEv1 SAs:

    Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

 1   IKE Peer: 10.0.0.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5

 There are no IKEv2 SAs






Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more