Failing Phase2 Auth - IPSec - All IPSec SA proposals found unacceptable

  • Permalink
  • submit to reddit
  • Email
  • Follow


I'm getting the Below Debug info when I try to Connect my Client to
the PIX 515e.

The Client is an iPhone. Seems like I have all of the Transforms in
there.

How can I trouble shoot this?

Thanks!
  Scott<-



4:15:32 PM   %PIX-3-713119: Group = <group>, Username = <user>, IP =
<ip>(unresolved), PHASE 1 COMPLETED
4:15:32 PM   %PIX-5-713904: Group = <group>, Username = <user>, IP =
<ip>(unresolved), All IPSec SA proposals found unacceptable!
4:15:32 PM   %PIX-3-713902: Group = <group>, Username = <user>, IP =
<ip>(unresolved), QM FSM error (P2 struct &0x2452b08, mess id
0x9193376c)!
4:15:32 PM   %PIX-3-713902: Group = <group>, Username = <user>, IP =
<ip>(unresolved), Removing peer from correlator table failed, no
match!
4:15:32 PM   %PIX-4-113019: Group = <group>, Username = <user>, IP =
<ip>(unresolved), Session disconnected. Session Type: IPSec, Duration:
0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
4:15:31 PM   %PIX-6-713172: Group = <group>, IP = <ip>(unresolved),
Automatic NAT Detection Status: Remote end IS behind a NAT device This
end IS behind a NAT device
4:15:31 PM   %PIX-6-113012: AAA user authentication Successful : local
database : user = <user>
4:15:31 PM   %PIX-6-113009: AAA retrieved default group policy
(<group>) for user = <user>
4:15:31 PM   %PIX-6-113008: AAA transaction status ACCEPT : user =
<user>
4:15:31 PM   %PIX-5-713130: Group = <group>, Username = <user>, IP =
<ip>(unresolved), Received unsupported transaction mode attribute: 5
4:15:31 PM   %PIX-6-713184: Group = <group>, Username = <user>, IP =
<ip>(unresolved), Client Type: iPhone OS Client Application Version:
2.2
4:15:31 PM   %PIX-5-713131: Group = <group>, Username = <user>, IP =
<ip>(unresolved), Received unknown transaction mode attribute: 28683
4:15:31 PM   %PIX-6-713228: Group = <group>, Username = <user>, IP =
<ip>(unresolved), Assigned private IP address <IpSecIP>(unresolved) to
remote user
0
Reply scooter133 (5) 11/27/2008 12:37:32 AM

See related articles to this posting


scooter133@gmail.com wrote:
> I'm getting the Below Debug info when I try to Connect my Client to
> the PIX 515e.
> 
> The Client is an iPhone. Seems like I have all of the Transforms in
> there.
> 
> How can I trouble shoot this?
> 
> Thanks!
>   Scott<-
> 
> 
> 
> 4:15:32 PM   %PIX-3-713119: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), PHASE 1 COMPLETED
> 4:15:32 PM   %PIX-5-713904: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), All IPSec SA proposals found unacceptable!
> 4:15:32 PM   %PIX-3-713902: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), QM FSM error (P2 struct &0x2452b08, mess id
> 0x9193376c)!
> 4:15:32 PM   %PIX-3-713902: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), Removing peer from correlator table failed, no
> match!
> 4:15:32 PM   %PIX-4-113019: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), Session disconnected. Session Type: IPSec, Duration:
> 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
> 4:15:31 PM   %PIX-6-713172: Group = <group>, IP = <ip>(unresolved),
> Automatic NAT Detection Status: Remote end IS behind a NAT device This
> end IS behind a NAT device
> 4:15:31 PM   %PIX-6-113012: AAA user authentication Successful : local
> database : user = <user>
> 4:15:31 PM   %PIX-6-113009: AAA retrieved default group policy
> (<group>) for user = <user>
> 4:15:31 PM   %PIX-6-113008: AAA transaction status ACCEPT : user =
> <user>
> 4:15:31 PM   %PIX-5-713130: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), Received unsupported transaction mode attribute: 5
> 4:15:31 PM   %PIX-6-713184: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), Client Type: iPhone OS Client Application Version:
> 2.2
> 4:15:31 PM   %PIX-5-713131: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), Received unknown transaction mode attribute: 28683
> 4:15:31 PM   %PIX-6-713228: Group = <group>, Username = <user>, IP =
> <ip>(unresolved), Assigned private IP address <IpSecIP>(unresolved) to
> remote user

Did a quick search on Google for the term "iphone ipsec transforms" and 
received plenty of results.

The first link looked interesting in terms of identifying transform 
limitations of the iPhone:

http://www.networkworld.com/community/node/23023

Perhaps you'll find what you are looking for in that document, or one of 
the others within the search results.

Best Regards,
News Reader
0
Reply News 11/27/2008 2:50:46 AM
comp.dcom.sys.cisco 25192 articles. 25 followers. Post

1 Replies
315 Views

Similar Articles

[PageSpeed] 53


  • Permalink
  • submit to reddit
  • Email
  • Follow


Reply:

Similar Artilces:

auth ntlm and anon in case of failed ntlm auth
hi, we have setup ntlm-auth with winbind mod_auth_ntlm_winbind. this works for login/user authentication in our intranet. what we want to have is an anonymous login if ntlm-auth failes for some reasons, eg. no domain user, client not able to send ntlm-auth, other failure etc. so we want to have ntlm-auth as first try, if this failes we don't want to have any error message or password-popup but have the user access the intranet as guest. markus ...

error 'Login failed for user sa', and the backup fails.
I have a ms sql database server backup maintainance. I have scheduled for backup daily at 11:00 pm however the backup doesnt take place. after lookin at the logs it shows me.... Login failed for user 'sa' what does this mean ? and the backup doesnt take place at all ? I have windows + SQL server authentification enabled. plz suggest why this is happening ? ...

Wifi Auth Fails
What should be the correct behavior if wireless devices are associated (both in adhoc and in infra) but fails to authenticate in open system (not using the radius). Say your AP or the wireless adhoc creator network has the following security settings: WEP (wep key) WPA/WPA2 Personal (using PSK and TKIP/AES encryption) thanks, tabs ...

Require a module, but not fail if not found
I want to require a module, but let the script continue if the module can not be found. Currently my script will fail if it can not load/ find the module. Quoth "Mr. Nonsense" <mynonsense@mynonsense.net>: > I want to require a module, but let the script continue if the module > can not be found. Currently my script will fail if it can not load/ > find the module. eval { require Module }; Ben ...

Auth Failed with http access
Hi, Am having trouble with my newly configured Aironet 1100. Just got it out of the package and was configuring it via browser. I modified the admin account from the default. It works fine (clients able to use) but I haven't been able to log on to the darn thing via browser since I changed the admin account. Since then, I've tried to open a browser to log on. It asks me for my password, asks again, then asks again then finally says "Authorization Required Browser not authentication-capable or authentication failed." But I *can* log on with the same id/password to the C...

Too many sa failed logins
The event log is showing a ton of failed sa logins. The server is connected to the net. I am assuming this is a dictionary attack to get the sa password. I am trying to find out if this is an inside attempt or from the outside. While the profiler will tell me which program or script is sending it, how do I find out which ip address(s) from the net is doing this? -- John Dalberg "John Dalberg" <johnd@hotmail.com2> wrote in message news:xz07aent6ftr.1g83xxhvdhwdi$.dlg@40tude.net... > > The event log is showing a ton of failed sa logins. The server is > connected ...

NetASQ Auth Cookies not found
Dear all, we are using a NetASQ appiance as firewall in our company. We have configured the firewall to authenticate the users before surf on the Internet and gain priviledges to access any other services (AOL, FTP,...). Even if on the guide is described that a cookie is written on the client browser and checked every time the browser starts (cookie, session mode), I can't see any cookie in the browser, after the authentication. Same problem somewhere? Is there any misconfiguration, or only some browsers are compatible with this mechanism ? Thanks, Emilio On 3 juil, 15:54, e.tone...@g...

AUTH failing and taking my sanity with it
I'm going crazy trying to get SMTP AUTH to work. Fedora core 3, sendmail 8.13.1-2 The problem seems to be in the relationship between sendmail and saslauthd Here's relevant stuff from maillog. The last two lines seem to be the key. I've been Googling for an hour; I see lots of people with the same problem, but no solutions. Feb 13 19:38:19 ciscy sendmail[28257]: NOQUEUE: connect from h-66-167-178-157.chcgilgm.dynamic.covad.net [66.167.178.157] Feb 13 19:38:19 ciscy sendmail[28257]: AUTH: available mech=DIGEST-MD5 CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN ...

Local Auth relay fails
I created a new user who is just one letter off from a current user; say "daria" vs. "dariu". I don't see how that should be problem. I have only 21 users in the list. When I set up "daria" with an IMAP access, I can get to the IMAP folders easily enough; login name and password work. But send a message? I get a failure. I have tried one of the older accounts, and can send just fine, but I can't get any account that I create subsequent to this one to send. Passwords carefully checked. Server is set to the max for relay prohibitions. It is alm...

No AUTH available / No secret found in database
We are experiencing multiple issues with Sendmail authentication and have combed the Internet for a solution to no avail and any help would be appreciated. We are using Linux, Ubuntu distribution (latest CD release). The situation is we are reselling email access and need to be able to allow uses to come in, authenticate via the passwd file, and send out / relay mail. We are using Sendmail 8.13.4/8.13.4 and Cyrus-SASL 2.1.19. The first problem we ran into is that whenever we attempted to authenticate, we'd get Apr 21 10:50:37 localhost sm-mta[5595]: no secret in database and it would...

Top SPAM score found by SA?
Hi group! After we had a somehow misleading discussion about SPAM and SA lately, just took a look at my SPAM file and found this one to be the top score (out of 103 in the last 17h) Content analysis details: (135.8 points, 4.2 required) pts rule name description ---- ------------------------------------------------------------------------ 1.8 INVALID_DATE_TZ_ABSURD Invalid Date: header (timezone does not exist) 4.1 SUBJ_VIAGRA Subject includes "viagra" 4.1 MSGID_SPAM_ZEROES Spam tool Message-Id: (12-zeroes variant) 4.1 SUBJ_HAS_SPACES Sub...

Log full of Auth Failed.. how to block it?
Hi, I have the log full of authenticatin failed to wifi access point of my 877w by a unique mac address unknown by me. Mar 13 22:47:12.947: %DOT11-7-AUTH_FAILED: Station 0012.f0dc.2509 Authentication failed Mar 13 22:47:27.678: %DOT11-7-AUTH_FAILED: Station 0012.f0dc.2509 Authentication failed Mar 13 22:47:42.914: %DOT11-7-AUTH_FAILED: Station 0012.f0dc.2509 Authentication failed Mar 13 22:47:57.622: %DOT11-7-AUTH_FAILED: Station 0012.f0dc.2509 Authentication failed Mar 13 22:48:12.310: %DOT11-7-AUTH_FAILED: Station 0012.f0dc.2509 Authentication failed Mar 13 22:48:28.182: %DOT11-7-AUTH_FAILE...

smtp auth with SBC/Yahoo fails (again)
Hi all, when I initially setup sendmail to use smtp-auth with Yahoo/SBC I had big problems because of their DDNS table entries. Originally I could send out emails when defining the smart host in brackets within sendmail.mc: define(`SMART_HOST', `[smtp.sbc.mail.yahoo4.akadns.net]')dnl ....and having this in authinfo: AuthInfo:smtp.sbc.mail.yahoo4.akadns.net "U:username@sbcglobal.net" "P:password" "M:PLAIN" A few weeks ago this setup didn't work any longer, I either got error messages saying "DSN: User unknown" or the emails simply ne...

What to do with failed 802.1x auth failures
I am wondering what is possible regarding 802.1x authentication failures. It would be really nice if a failed auth attempt would cause the switch to grant access, but do a dynamic VLAN change on the port. That way a user could still have network access, but might only be able to access a couple things..... I understand how I can change VLANs based on a userid, but that is for successfull authentication attempts. Basically, if I yank someone's access to then network, I would like to give that person the opportunity to learn about why their access yanked, and possibly reme...

DLL load failed: The specified procedure could not be found
sys.path: H:\Husky\HostPC\V1\SHIP\Debug H:\Husky\HostPC\V1\SHIP E:\Bill\Python-2.4.1\PCbuild\python24_d.zip C:\Python24\Lib C:\Python24\DLLs C:\Python24\Lib\lib-tk H:\Husky\HostPC\V1\RunSHIP H:\Husky\HostPC\V1\Debug C:\Python24 C:\Python24\lib\site-packages Traceback (most recent call last): File "H:\Husky\HostPC\V1\SHIP\test1.py", line 7, in ? import SHIP File "H:\Husky\HostPC\V1\Debug\SHIP.py", line 5, in ? import _SHIP ImportError: DLL load failed: The specified procedure could not be found. a) What "specified procedure " b) SHIP was mad...

Zywall2 Problem! VPN Phase2 (No proposal chosen)
Help Me ..... Vpn Client is SSH Sentinel. This is the problem 1 03/04/2005 23:47:34 Send:[HASH][DEL] 192.168.1.254 212.216.139.xxx 2 03/04/2005 23:47:34 Send:[HASH][NOTFY:NO_PROP_CHOSEN] 192.168.1.254 212.216.139.xxxIKE 3 03/04/2005 23:47:34 !! No proposal chosen 212.216.139.xxx192.168.1.254 IKE 4 03/04/2005 23:47:34 Start Phase 2: Quick Mode 212.216.139.xxx192.168.1.254 IKE 5 03/04/2005 23:47:34 Recv:[HASH][SA][NONCE][ID][ID] 212.216.139.xxx192.168.1.254 IKE 6 03/04/2005 23:47:33 Send:[HASH][ATTRIBUTE] 192.168.1.254 212.216.139.xxxIKE 7 03/04/2005 23:47:33 Phase 1 IKE SA proces...

MDaemon Warning
This is a multi-part message in MIME format. ------=_NextPart_000_0007_FDE78F8C.9DE5FDB9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit ******************************* WARNING ****************************** Este mensaje ha sido analizado por MDaemon AntiVirus y ha encontrado un fichero anexo(s) infectado(s). Por favor revise el reporte de abajo. Attachment Virus name Action taken ---------------------------------------------------------------------- instruction.zip I-Worm.Mydoom.m Removed ***********...

serial I/O install fail -- DLL not found
Just starting with Python. Installed: Python 2.7 pywin32-214.win32-py2.7.exe pyserial-2.5.win32.exe on a Home WinXP SP3 Toshiba laptop with 2GB memory. Open Python and try to do simple I/O test and can't even get past first line. Transcript below. You will see that __name__ is defined as '__main__" but path is not defined. Could this be due to creating the folder holding the Python.exe being on the E: drive or for some other obscure reason? The DOS path environmental variable includes: e:\Program Files\Python27 Thanks in advance for for any help. **********...

This application has failed to start because icuuc24.dll was not found
Hi, I am trying to access Matlab from C# as mentioned in this message <http://www.mathworks.com/support/solutions/data/1-19ZW9.html?solution=1-19ZW9> It says To run this example: 1. Run "mbuild -setup" in MATLAB 6.5 and choose "Microsoft Visual C/C++ version 7.0" But I have Matlab 6.0, so when I run this code: ----------------------------------------------------------- using System; using System.Runtime.InteropServices; using System; using System.Collections; using System.Collections.Specialized; using System.Data; using System.Diagnostics; using System.Reflectio...

FreeBSD-SA-10:02.ntpd fails
Hi, what did I miss? [root@ns3 ]# cd /usr/src/usr.sbin/ntp/ntpd [root@ns3 /usr/src/usr.sbin/ntp/ntpd]# make clean && make obj && make depend && make && make install [...] cc -O2 -pipe -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/include -I/usr/src/usr.sbin/ntp/ntpd/../ -I/usr/src/usr.sbin/ntp/ntpd/../../../contrib/ntp/libopts -I/usr/src/usr.sbin/ntp/ntpd -DSYS_FREEBSD -DPARSE -DHAVE_CONFIG_H -DOPENSSL -std=gnu99 -fstack-protector -c version.c make: don't know how to make /usr/obj/usr/src/usr.sbin/ntp/ntpd/../libparse/libparse.a. Stop ...

Auth. failed on Pure-ftpd on Debian Sarge
Hi all, I'm pretty new to PureFTPD. I'm trying to set up my own server, but the ftp won't auth the user I just created. The server is running on Debian Sarge. I've followed this guide: ttp://www.pureftpd.org/README.Virtual-Users In short I've done: - groupadd ftpgroup (shows in /etc/group) - useradd -g ftpgroup -d /dev/null -s /etc ftpuser (shows in (/etc/passwd) - pure-pw useradd user u ftpuser -d /home/ftp (shows in (/etc/pureftpd.passwd) - pure-pw mkdb But when I'm trying to loggin I just get: Authentication failed, sorry Could not open host 192.168.0.3: userna...

SMTP-AUTH Client / 501 Authentication failed
Hi All! I am using RH 9 and need to use sendmail as a SMTP-AUTH client. After numerous attempts at RTFM'ing and asking google for answers, I am at at a loss. Maybe someone has had the same problem. Here it goes... My setup is as follows: Sendmail 8.12.8-9.90 cyrus-sasl-devel-2.1.10-4 cyrus-sasl-md5-2.1.10-4 cyrus-sasl-gssapi-2.1.10-4 cyrus-sasl-2.1.10-4 cyrus-sasl-plain-2.1.10-4 My /usr/lib/sasl/Sendmail.conf has: pwcheck_method:sasldb My sendmail.mc has (this is a stock RH9 Shrike mc file with authinfo and respective flags added). NOTE!: I have changed some variables for securi...

[proposal] Test::Unit name of failing method
I have some code which sometimes goes into endless recursion, so that I have to do CTRL-C to stop it. The call-stack is very deep, and Test::Unit is only revealing the top and the bottom of the call-stack (the middle is shown as [...] dots). The method name is within that part which Test::Unit hides for me, Thus I cannot determine the name of the failing-method. It would be really nice if Test::Unit could determine the name of the failing method. Any thoughts ? -- Simon Strandgaard, Ruby-1.8.1preview2 server> ruby test_scanner2.rb Loaded suite TestScanner2 Started ......................

mathn.rb is unacceptably slow (proposed replacements)
In mathn.rb (ruby 1.8.1), Integer#gcd2 and the Prime class are unacceptably slow. (The Integer#gcd2 replacement below is also faster than both Integer#gcd and Integer#gcd2 in rational.rb, at least on this machine, and might be a nice replacement for Integer#gcd there.) Try the following test with the standard mathn and then with the method and class replacements below it : require 'mathn' puts "Finding the GCDs of 10,000 pairs starting at #{Time.now}...." 10000.times { rand(10000).gcd2(rand(10000)) } puts "Finished with that, now finding the first 10,000 primes at...

secldapclntd to Auth users via SSH failing
I recently setup a OpenLDAP server to migrate NIS users for our sytems. It works for a Linux Client perfectly. I am in the process of configuring secldapclntd on AIX 5.2 to talk to the LDAP server. The AIX box currently binds to the LDAP server. As root, I can "su - user" to any user in the LDAP directory. However, I can not login as any LDAP user vis SSH or telnet. On the Linux system, I had to modify the sshd_config to allow The PAM Passwords option. (PAMAuthenticationViaKbdInt yes). I tried this on the AIX box, but it seems to not help. I am unsure of how / if the secldapcln...