6 Replies Latest reply on Feb 18, 2013 2:23 PM by levi

    VPN issue - Attribute Mismatch

    smross New Member

      Hi all, i am working on creating a tunnel between a cisco 3845 and an adtran 1335.

      Other tunnels are working on the 3845 which go to other cisco's but the issue is only happening on the adtran 1335.

       

      I am getting these errors on the 1335

       

      2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInXformProcess: Attributes mismatch

      2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInXformProcess: Transform number search failed

      2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeInProposalProcess: In response, transform payload malformed

      2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeQMInitSAWaitProcess: IkeInProposalProcess failed

      2012.07.31 17:26:09 CRYPTO_IKE.NEGOTIATION IkeProcessData : IkeQMInitSAWaitProcess failed

       

      I've attached the debugs from a show crypto ike.  If anyone could give any direction on where to look it would be much appreciated. I've confirmed both sides have the same attributes and everything.

       

       

      Thanks,

       

       

      Sean

        • Re: VPN issue - Attribute Mismatch
          cj! Beta_User

          Hi smross:

           

          Since the negotiation fails after the second IKE message, I would re-check your preshared key and also focus on the IKE policy attributes/timeout.

           

          Best,

          Chris

            • Re: VPN issue - Attribute Mismatch
              smross New Member

              Yea i believe i've checked all those, below is the config of both sides.  The only difference is that the lifetime is showing up on the cisco under the isakmp policy even after i've set it.  Not sure if thats working as intended or not.

               

              Adtran

              !

              ip crypto

              ip crypto ffe

              !

              crypto ike policy 1

                initiate main

                respond anymode

                local-id address X.X.X.X

                peer X.X.X.X

                attribute 1

                  encryption aes-256-cbc

                  authentication pre-share

                  group 5

                  lifetime 86400

              !

              crypto ike remote-id address X.X.X.X preshared-key ciscovpn ike-policy 1 no-xauth

              !     

              crypto ipsec transform-set VPN esp-aes-256-cbc esp-sha-hmac

                mode tunnel

              !

              crypto map VPN 1 ipsec-ike

                match address gre-ip

                set peer X.X.X.X

                set transform-set VPN

                set pfs group5

                ike-policy 1

               

               

               

               

              Cisco

              crypto isakmp policy 1

              encr aes 256

              authentication pre-share

              group 5

              crypto isakmp key ciscovpn address 0.0.0.0 0.0.0.0 no-xauth

              !

              !

              crypto ipsec transform-set IPSEC-TRANS-SET esp-aes 256 esp-sha-hmac

              !

              crypto map VPN 1 ipsec-isakmp

              set peer X.X.X.X

              set transform-set IPSEC-TRANS-SET

              set pfs group5

              match address WAltamonte

               

              interface Tunnel1

              description WAltamonte

              bandwidth 20000

              ip address X.X.X.X 255.255.255.252

              ip mtu 1420

              keepalive 10 3

              tunnel source GigabitEthernet0/1.65

              tunnel destination X.X.X.X

               

              ip access-list extended WAltamonte

              permit gre host X.X.X.X host X.X.X.X

               

               

               

              Thanks,

               

               

              Sean

                • Re: VPN issue - Attribute Mismatch
                  cj! Beta_User

                  Yeah, if you're like me, you probably triple and quadruple-checked before taking it to the support forum.    Hopefully an ADTRAN engineer or other crypto ninja will chime in with something closer to a fix.  I'm definitely learning as I go, but your debug shows that the negotiation breaks during the first half of the IKE proposal where basic phase 1 details are offered/agreed.  This helps, because if we're not getting past that, then it's likely some mis-match with basic attributes.

                   

                  I don't know Cisco configs well enough to be confident.  I don't know if something should be changed in yours.  Perhaps the timeout is omitted because it's the default value?  Or maybe there is something more to it and the timeouts are at play in your trouble.  Question for anyone:  are timeout values actually part of the negotiation?

                   

                  Chris

                  • Re: VPN issue - Attribute Mismatch
                    levi Employee

                    Sean:

                     

                    Thank you for asking this question in the support community.  When connecting a VPN from an ADTRAN to a Cisco, typically you will need to modify the NAT-traversal settings, as the defaults on the two vendors are different.  On the ADTRAN unit, change the IKE policy to:  nat-traversal v1 disable and nat-traversal v2 force.  After making the changes, your IKE policy should look similar to the following:

                     

                    crypto ike policy 1

                      initiate main

                      respond anymode

                      nat-traversal v1 disable

                      nat-traversal v2 force

                      local-id address X.X.X.X

                      peer X.X.X.X

                      attribute 1

                        encryption aes-256-cbc

                        authentication pre-share

                        group 5

                        lifetime 86400

                     

                    Also, I noticed on the Cisco that you have a GRE tunnel configured.  Is this supposed to be a GRE/IPSec tunnel?  If so, there are additional configuration settings you will need on the ADTRAN.

                     

                    Please, make the suggested configuration changes, and then reply with the output from the debug crypto ike command when the tunnel is attempting to establish.

                     

                    Levi

                • Re: VPN issue - Attribute Mismatch
                  levi Employee

                  smross:

                   

                  I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

                   

                  Levi

                  • Re: VPN issue - Attribute Mismatch
                    levi Employee

                    smross:

                     

                    I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                     

                    Thanks,

                     

                    Levi