Blog

IP and Mobile Trends and Education

 

Conflicting protocols specified by tunnel-group and group-policy

Author:


04.12.2016

It is my pleasure to write the first in a series of post for the Troubleshooting and FAQ section of our Grandmetric blog. In this category we will publish bugs/issues, problem descriptions, handy troubleshooting techniques as well as answers for interesting questions. As Network Contractors and trainers, we have come across dozens of interesting problems that have been faced by our customers. We would like to share our experience in dealing with those problems and discuss with our readers their solutions.

Here is the first one.

Especially in Cisco ASA 9.X OS where IKEv2 protocol is present, you may face the VPN Site to Site (S2S) IKEv1 (legacy ISAKMP) tunnel failing to establish. But the configuration looks good at first glance! You may be getting following error:

%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. 

Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

After looking at above logs for a while one can realize that there is something configured with a default group-policy, because we do not use custom group for that tunnel.

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

The problem is related to lack of IKEv1 protocols enablement under group-policy DfltGrpPolicy. This is specified (and actually is not in this case) under vpn-tunnel-protocol section.

Resolution: Enable IKEv1 under the DfltGrpPolicy -> vpn-tunnel-protocol section:

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless

And of course don’t forget to check if it is working now:

GPD01-FW01-01# sh cry isa sa
IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: X.X.X.X
Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE

And SA’s:

GPD01-FW01-01# sh cry ipse sa
interface: outside
Crypto map tag: TRE_CRYPTO_MAP, seq num: 10, local addr: X.X.X.X

access-list XXXXXXXXXXXXX extended permit ip 10.68.95.0 255.255.255.0 10.68.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.68.95.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
current_peer: X.X.X.X

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 12 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

1 Comment
uzi
11 September 2017 at 20:11

Huge help! Thanks for the insight on this.

Cheers!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter