07-18-2014 08:37 AM
I am not getting a proxy id mismatch error I am getting no proposal chosen for phase 2 and phase 1 works fine
07-18-2014 08:42 AM
Could you please double check Phase-2 ( ipsec) proposals are same on both sides. Please select only one set of proposal on both side firewalls.
Also check in ike-mgr log: admin@> tail follow yes mp-log ikemgr.log
Thanks
07-18-2014 08:46 AM
I have checked this more times than I can count but here it is
ipsec crypto
settings on PA
encryption -aes256
authentication -sha1
DH group - group1
lifetime 8 hours
lifesize – 4800 mb
Cisco 5505 ipsec
crypto settings
encryption-AES256
Authentication -sha
DH - group1
SA lifetime settings - 8 hours
Traffic volume -4608000 KB
07-18-2014 08:50 AM
Could you please run > tail follow yes mp-log ikemgr.log---------- from CLI and at the same time, apply test VPN command from an another SSH window. Please share the o/p with us.
Thanks
07-18-2014 08:55 AM
Sorry I thought I entered that information earlier in this post, the tunnel is currently up and running but should failed later this afternoon
07-18-2014 08:56 AM
Hi Infotech,
ASA used Policy based VPN, means you have to have ACL to form VPN tunnel.
PAN uses route based VPN, where ACL is not mandatory. But you need routes pointing towards tunnel.
However, in order to form tunnel between PAN and ASA, its required to configure proxy ID on PAN. Which should be reciprocation of ACL used on ASA. There is not exception to it.
If its not configured than you can see "proxy ID mismatch error" in "tail follow yes mp.log vpn" command.
Regards,
Hardik Shah
07-18-2014 08:58 AM
Hello Infotech,
Is there any specific reason, you are using "lifesize – 4800 mb" in Phase 2. It will force the tunnel to re-negotiate the keys unnecessarily. It's not a mandatory parameter.
Thanks
07-18-2014 09:02 AM
I do not see a proxy id mismatch error I have already checked. The tunnel does come up and stay up for at least 8 hours and then drops for a period of time around 12 -16 hours
07-18-2014 09:04 AM
I had it set to nothing originally but the Cisco had a setting so to make them match I added it. So far it hasn't change the behavior of the tunnel at all
07-18-2014 09:44 AM
The tunnel went down and here is the info you requested
2014-07-18 11:42:33 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:0e6d9d81e004b9cf:3eae18911b8490b2 lifetime 28800 Sec <====
2014-07-18 11:42:33 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xB10E2AC9 <====
2014-07-18 11:42:33 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xDE276D28 <====
2014-07-18 11:42:33 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xC9287FC3 <====
2014-07-18 11:42:33 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x5F793423 <====
2014-07-18 11:42:33 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0e6d9d81e004b9cf 3eae18911b8490b2 (size=16).
2014-07-18 11:42:33 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xF3641853 <====
2014-07-18 11:42:34 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found
2014-07-18 11:42:34 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:dac938cd5be069b6:0000000000000000 <====
2014-07-18 11:42:34 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:0e6d9d81e004b9cf:3eae18911b8490b2 <====
2014-07-18 11:42:34 [INFO]: request for establishing IPsec-SA was queued since phase1 is not mature
2014-07-18 11:42:34 [INFO]: received Vendor ID: FRAGMENTATION
2014-07-18 11:42:34 [INFO]: received Vendor ID: CISCO-UNITY
2014-07-18 11:42:34 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-07-18 11:42:34 [INFO]: received Vendor ID: DPD
2014-07-18 11:42:34 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:dac938cd5be069b6:1dac1591732f729e lifetime 28800 Sec <====
2014-07-18 11:42:34 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xAA2ED1DE <====
2014-07-18 11:42:34 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x1F9D29F4 <====
2014-07-18 11:42:34 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=dac938cd5be069b6 1dac1591732f729e (size=16).
2014-07-18 11:42:35 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:dac938cd5be069b6:1dac1591732f729e <====
2014-07-18 11:42:40 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: 66.94.196.107[500]-66.94.196.108[500] message id:0x76E9B64A <==== Due to negotiation timeout.
2014-07-18 11:42:41 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:ffae7dd6fe0f629a:ee14338fde5e99e3 <====
2014-07-18 11:42:41 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 66.94.196.107[500]-66.94.196.108[500] cookie:ffae7dd6fe0f629a:ee14338fde5e99e3 <====
2014-07-18 11:42:42 [INFO]: IPsec-SA request for 66.94.196.108 queued since no phase1 found
2014-07-18 11:42:42 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:843c80e97d7cb413:0000000000000000 <====
2014-07-18 11:42:42 [INFO]: received Vendor ID: FRAGMENTATION
2014-07-18 11:42:42 [INFO]: received Vendor ID: CISCO-UNITY
2014-07-18 11:42:42 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-07-18 11:42:42 [INFO]: received Vendor ID: DPD
2014-07-18 11:42:42 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:843c80e97d7cb413:e9b044e0557608b9 lifetime 28800 Sec <====
2014-07-18 11:42:42 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] message id:0xF07BE6F3 <====
2014-07-18 11:42:42 [PROTO_NOTIFY]: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=843c80e97d7cb413 e9b044e0557608b9 (size=16).
2014-07-18 11:42:43 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:f855cc03a1a32ab2:904aa5dae3200d46 <====
2014-07-18 11:42:43 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:843c80e97d7cb413:e9b044e0557608b9 <====
2014-07-18 11:42:44 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:0e6d9d81e004b9cf:3eae18911b8490b2 <====
2014-07-18 11:42:45 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 66.94.196.107[500]-66.94.196.108[500] cookie:dac938cd5be069b6:1dac1591732f729e <====
07-22-2014 01:32 AM
Hello infotech,
Can you try clearing the specific ike-sa and ipsec-sa. Use the commands below :
- clear vpn ike-sa gateway <name>
- clear vpn ipsec-sa tunnel <name>
Then try and clear the specific vpn flow by using the command:
- clear vpn flow name <flow name>
Clear the ipsec-esp sessions on the firewall as well using the command:
- clear session all filter protocol 50 (or) clear session all filter application ipsec-esp
Note that above command will clear all the IPsec flows. If there are other tunnels configured, they will be affected as well. You can clear the specific ipsec-esp session by browsing through the options you have in clear session all command from CLI.
Once above steps have been carried out, you can try and force the re-negotiations using the commands below :
- test vpn ike-sa gateway <name>
- test vpn ipsec-sa tunnel <name>
If the above steps do not work, then I would suggest building the config from scratch. I would also like to suggest not configuring the lifesize on both the gateways.
Thanks
07-22-2014 06:14 AM
I followed your suggestion and the tunnel still did not come up. As you look at the console it have status bubbles one on the left is red and the one on the right is green
07-22-2014 07:32 AM
Which means, phase-2 is down.
Kindly run test command for vpn at same time take output for "tail follow yes mp-log ikemgr", this will help us to determine root cause.
Regards,
Hardik Shah
07-22-2014 09:10 AM
there you go
2014-07-22 11:09:36 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: 66.94.196.107[500]-66.94.196.108[500] cookie:44e50ec19a74237a:0000000000000000 <====
2014-07-22 11:09:36 [INFO]: received Vendor ID: FRAGMENTATION
2014-07-22 11:09:36 [INFO]: received Vendor ID: CISCO-UNITY
2014-07-22 11:09:36 [INFO]: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-07-22 11:09:36 [INFO]: received Vendor ID: DPD
2014-07-22 11:09:36 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: 66.94.196.107[500]-66.94.196.108[500] cookie:44e50ec19a74237a:023e35f3a24f64d8 lifetime 28800 Sec <====
2014-07-22 11:09:37 [INFO]: 0:66.94.196.107[0] - 66.94.196.108[0]:(nil):remote Parkway_Gateway_ITV3 passive mode specified for IKEv1, dropping acquire request
2014-07-22 11:09:41 [INFO]: 0:66.94.196.107[0] - 66.94.196.108[0]:(nil):remote Parkway_Gateway_ITV3 passive mode specified for IKEv1, dropping acquire request
2014-07-22 11:09:46 [INFO]: 0:66.94.196.107[0] - 66.94.196.108[0]:(nil):remote Parkway_Gateway_ITV3 passive mode specified for IKEv1, dropping acquire request
2014-07-22 11:10:00 [INFO]: 0:66.94.196.107[0] - 66.94.196.108[0]:(nil):remote Parkway_Gateway_ITV3 passive mode specified for IKEv1, dropping acquire request
2014-07-22 11:10:04 [INFO]: 0:66.94.196.107[0] - 66.94.196.108[0]:(nil):remote Parkway_Gateway_ITV3 passive mode specified for IKEv1, dropping acquire request
2014-07-22 11:10:09 [INFO]: 0:66.94.196.107[0] - 66.94.196.108[0]:(nil):remote Parkway_Gateway_ITV3 passive mode specified for IKEv1, dropping acquire request
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
