Corente Services Gateway - Phase2 failure to Cisco ASA (Doc ID 2295092.1)

Last updated on AUGUST 09, 2017

Applies to:

Corente Cloud Services Exchange - Version 9.4 and later
Information in this document applies to any platform.

Symptoms

The VPN is configured correctly, phase1 and phase2 with PFS settings verified.

The Corente Services Gateway (CSG) will show the SAs come active in /var/log/secure then will log the proposal fails.

3PD.1048588" #45005: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #44999 {using isakmp#45004 msgid:28462b27 proposal=AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160, AES(12)_256-SHA2_256(5)_256, AES(12)_192-MD5(1)_128, AES(12)_192-SHA1(2)_160, AES(12)_192-SHA2_256(5)_256, AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_128-SHA2_256(5)_256, 3DES(3)_192-MD5(1)_12 pfsgroup=OAKLEY_GROUP_MODP1536}
3PD.1048589" #45006: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #45000 {using isakmp#45004 msgid:8ead5666 proposal=AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160, AES(12)_256-SHA2_256(5)_256, AES(12)_192-MD5(1)_128, AES(12)_192-SHA1(2)_160, AES(12)_192-SHA2_256(5)_256, AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_128-SHA2_256(5)_256, 3DES(3)_192-MD5(1)_12 pfsgroup=no-pfs}
3PD.1048588" #45007: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #45001 {using isakmp#45004 msgid:dac628c1 proposal=AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160, AES(12)_256-SHA2_256(5)_256, AES(12)_192-MD5(1)_128, AES(12)_192-SHA1(2)_160, AES(12)_192-SHA2_256(5)_256, AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_128-SHA2_256(5)_256, 3DES(3)_192-MD5(1)_12 pfsgroup=no-pfs}
3PD.1048589" #45008: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #45002 {using isakmp#45004 msgid:6bda4344 proposal=AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160, AES(12)_256-SHA2_256(5)_256, AES(12)_192-MD5(1)_128, AES(12)_192-SHA1(2)_160, AES(12)_192-SHA2_256(5)_256, AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_128-SHA2_256(5)_256, 3DES(3)_192-MD5(1)_12 pfsgroup=OAKLEY_GROUP_MODP1536}
3PD.1048588" #45009: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#45004 msgid:f35a6e4e proposal=AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160, AES(12)_256-SHA2_256(5)_256, AES(12)_192-MD5(1)_128, AES(12)_192-SHA1(2)_160, AES(12)_192-SHA2_256(5)_256, AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_128-SHA2_256(5)_256, 3DES(3)_192-MD5(1)_12 pfsgroup=OAKLEY_GROUP_MODP1536}
3PD.1048588" #45004: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
3PD.1048588" #45004: received and ignored informational message
3PD.1048588" #45004: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
3PD.1048588" #45004: received and ignored informational message
3PD.1048588" #45004: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
3PD.1048588" #45004: received and ignored informational message
3PD.1048588" #45004: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
3PD.1048588" #45004: received and ignored informational message
3PD.1048588" #45004: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
3PD.1048588" #45004: received and ignored informational message
3PD.1048588" #45004: received Delete SA payload: deleting ISAKMP State #45004

Placing the Cisco in debug mode will log a 'qm-fsm-error' on the console.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms