It is my pleasure to write about conflicting protocols in post for the Troubleshooting and FAQ section of our Grandmetric blog. In this category we will publish bugs/issues, problem descriptions, handy troubleshooting techniques as well as answers for interesting questions. As network contractors and trainers, we have come across dozens of interesting problems that have been faced by our customers. We would like to share our experience in dealing with those problems and discuss with our readers their solutions.
Here is the first one.
Especially in Cisco ASA 9.X OS where IKEv2 protocol is present, you may face the VPN Site to Site (S2S) IKEv1 (legacy ISAKMP) tunnel failing to establish. But the configuration looks good at first glance! You may be getting following error:
%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.
Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
After looking at above logs for a while one can realize that there is something configured with a default group-policy, because we do not use custom group for that tunnel.
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
The problem is related to lack of IKEv1 protocols enablement under group-policy DfltGrpPolicy. This is specified (and actually is not in this case) under vpn-tunnel-protocol section.
Resolution: Enable IKEv1 under the DfltGrpPolicy -> vpn-tunnel-protocol section:
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
And of course don’t forget to check if it is working now:
GPD01-FW01-01# sh cry isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
And SA’s:
GPD01-FW01-01# sh cry ipse sa
interface: outside
Crypto map tag: TRE_CRYPTO_MAP, seq num: 10, local addr: X.X.X.X
access-list XXXXXXXXXXXXX extended permit ip 10.68.95.0 255.255.255.0 10.68.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.68.95.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
current_peer: X.X.X.X
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
Great help!
I was getting mad setting up a VPN with AWS, your suggestion saved me! 🙂
ciao!
Andrea
Glad to see was handy!
Huge help! Thanks for the insight on this.
Cheers!