Poland
GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com
Sweden
Drottninggatan 86
111 36 Stockholm
+46 762 041 514
info@grandmetric.com
UK
Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com
US Region
Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com
It is my pleasure to write about conflicting protocols in post for the Troubleshooting and FAQ section of our Grandmetric blog. In this category we will publish bugs/issues, problem descriptions, handy troubleshooting techniques as well as answers for interesting questions. As network contractors and trainers, we have come across dozens of interesting problems that have been faced by our customers. We would like to share our experience in dealing with those problems and discuss with our readers their solutions.
Here is the first one.
Especially in Cisco ASA 9.X OS where IKEv2 protocol is present, you may face the VPN Site to Site (S2S) IKEv1 (legacy ISAKMP) tunnel failing to establish. But the configuration looks good at first glance! You may be getting following error:
%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.
Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
After looking at above logs for a while one can realize that there is something configured with a default group-policy, because we do not use custom group for that tunnel.
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
The problem is related to lack of IKEv1 protocols enablement under group-policy DfltGrpPolicy. This is specified (and actually is not in this case) under vpn-tunnel-protocol section.
Resolution: Enable IKEv1 under the DfltGrpPolicy -> vpn-tunnel-protocol section:
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
And of course don’t forget to check if it is working now:
GPD01-FW01-01# sh cry isa sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.X.X
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
And SA’s:
GPD01-FW01-01# sh cry ipse sa
interface: outside
Crypto map tag: TRE_CRYPTO_MAP, seq num: 10, local addr: X.X.X.X
access-list XXXXXXXXXXXXX extended permit ip 10.68.95.0 255.255.255.0 10.68.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.68.95.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
current_peer: X.X.X.X
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.
Great help!
I was getting mad setting up a VPN with AWS, your suggestion saved me! 🙂
ciao!
Andrea
Huge help! Thanks for the insight on this.
Cheers!