Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Dear Techs,
Kindly help:
Im facing the issue with site to site VPN from sophos to Palo alto.
Error- calculated HASH does not match HASH payload
here is my setup:
sophos==NAT router==Site to site tunnel==Palo alto
We dont have any control on the palo alto side.
Detailed Log:
2019-10-08 11:31:31 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side2019-10-08 11:31:31 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side2019-10-08 11:31:39 30[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side2019-10-08 11:31:39 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side2019-10-08 11:33:49 16[CFG] rereading secrets2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'2019-10-08 11:33:49 16[CFG] loaded IKE secret for 192.168.2.93 XX.XX.XX.235.202019-10-08 11:33:49 16[CFG] loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.202019-10-08 11:33:49 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'2019-10-08 11:39:38 24[CFG] rereading secrets2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'2019-10-08 11:39:38 24[CFG] loaded IKE secret for 192.168.2.93 XX.XX.XX.235.202019-10-08 11:39:38 24[CFG] loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.202019-10-08 11:39:38 25[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'2019-10-08 11:39:39 15[CFG] vici initiate 'IPSEC_DU-2'2019-10-08 11:39:39 20[IKE] <IPSEC_DU-1|4> initiating Aggressive Mode IKE_SA IPSEC_DU-1[4] to XX.XX.XX.235.202019-10-08 11:39:39 20[ENC] <IPSEC_DU-1|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]2019-10-08 11:39:39 20[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> received packet: from XX.XX.XX.235.20[500] to 192.168.2.93[500] (444 bytes)2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received XAuth vendor ID2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received Cisco Unity vendor ID2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received FRAGMENTATION vendor ID2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received DPD vendor ID2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a92019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> calculated HASH does not match HASH payload2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> generating INFORMATIONAL_V1 request 90879037 [ HASH N(AUTH_FAILED) ]2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (108 bytes)2019-10-08 11:39:40 21[CFG] vici initiate 'IPSEC_DU-1'2019-10-08 11:39:40 17[IKE] <IPSEC_DU-1|5> initiating Aggressive Mode IKE_SA IPSEC_DU-1[5] to XX.XX.XX.235.202019-10-08 11:39:40 17[ENC] <IPSEC_DU-1|5> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]2019-10-08 11:39:40 17[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> received packet: from XX.XX.XX.20[500] to 192.168.2.93[500] (444 bytes)2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received XAuth vendor ID2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received Cisco Unity vendor ID2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received FRAGMENTATION vendor ID2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received DPD vendor ID2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a92019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> calculated HASH does not match HASH payload2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> generating INFORMATIONAL_V1 request 3750323059 [ HASH N(AUTH_FAILED) ]2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.20[500] (108 bytes)2012019-10-08 11:39:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side2019-10-08 11:39:51 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (D351871F) from other side2019-10-08 11:39:58 06[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side2019-10-08 11:39:59 31[DMN] [GA
Thanks,
Ranjith
Seen similar with PSK mismatch already.Try a short, very simple PSK ... temporary. Some systems don't understand special characters or cut long keys.
Dirk
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
Hala Ranjith and welcome to the UTM Community!
I don't recognize that log format - is that from the Palo Alto device?
I'm not familiar with the PA device, so you might also need to go to the equivalent community on their site.
IPsec in the UTM does not accept Aggressive Mode, only Main Mode. Once you've resolved that, if the connection still doesn't succeed, show us the IPsec log from the UTM:
1. Confirm that Debug is not enabled.2. Disable the IPsec Connection.3. Start the IPsec Live Log and wait for it to begin to populate.4. Enable the IPsec Connection.5. Copy here about 60 lines from enabling through the error.
Cheers - Bob
Dear Dirkkotte/ Bob,
thanks for your inputs.
however now tunnel is coming up but after some times (may 1 hour , 2 , 3 hr) tunnel going down automatically. see the logs below:
2019-10-24 23:07:40 21[IKE] <DB_05P_TO_DU-1|20> nothing to initiate2019-10-24 23:07:40 04[NET] sending packet: from LOCAL IP[500] to REMOTE IP[500]2019-10-24 23:07:40 03[NET] received packet: from REMOTE IP[500] to LOCAL IP[500] on Port2_ppp2019-10-24 23:07:40 03[NET] waiting for data on sockets2019-10-24 23:07:40 11[NET] <DB_05P_TO_DU-1|20> received packet: from REMOTE IP[500] to LOCAL IP[500] (92 bytes)2019-10-24 23:07:40 11[ENC] <DB_05P_TO_DU-1|20> parsed INFORMATIONAL_V1 request 3546400854 [ HASH N(DPD_ACK) ]2019-10-24 23:07:40 11[IKE] <DB_05P_TO_DU-1|20> activating new tasks2019-10-24 23:07:40 11[IKE] <DB_05P_TO_DU-1|20> nothing to initiate2019-10-24 23:07:53 03[NET] received packet: from REMOTE IP[500] to LOCAL IP[500] on Port2_ppp2019-10-24 23:07:53 03[NET] waiting for data on sockets2019-10-24 23:07:53 17[NET] <DB_05P_TO_DU-1|19> received packet: from REMOTE IP[500] to LOCAL IP[500] (92 bytes)2019-10-24 23:07:53 17[ENC] <DB_05P_TO_DU-1|19> parsed INFORMATIONAL_V1 request 1335338711 [ HASH D ]2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> received DELETE for IKE_SA DB_05P_TO_DU-1[19]2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> deleting IKE_SA DB_05P_TO_DU-1[19] between LOCAL IP[db05p.tabreed.ae]...REMOTE IP[REMOTE IP]2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> IKE_SA DB_05P_TO_DU-1[19] state change: ESTABLISHED => DELETING2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> Found existing IKE_SA in state ESTABLISHED, skipping reestablishment.2019-10-24 23:07:53 17[MGR] <DB_05P_TO_DU-1|19> tried to checkin and delete nonexisting IKE_SA2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|21> IKE_SA DB_05P_TO_DU-1[21] state change: CREATED => DESTROYING2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> IKE_SA DB_05P_TO_DU-1[19] state change: DELETING => DELETING2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [SSO] (get_cfg) [CFG] sso: 02019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [SSO] (sso_invoke_once) SSO is disabled.2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (cop_updown_invoke_once) no user identification is provided!2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (ref_counting) ref_count: 1 to 0 -- down -- (192.168.0.1/32#10.83.180.54/32)2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 2 to 1 -- down -- (LOCAL IP#REMOTE IP)2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] IPtables: 12019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] route: 12019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] vti: 0
I see that remote end sending delete message:
2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> received DELETE for IKE_SA DB_05P_TO_DU-1[19]
Any thoughts on the above why PA sending the delete message to disconnect the tunnel (we don't have any access to remote Peer PA, not easy to get the logs as well )
Appreciated your inputs.
Thanks in advance,
Ranji
A new/next problem?
Do you enable/disable DPD at booth sides?
Matches the IPSec Phase1 / Phase 2 timers at booth sides exactly?
I like Dirk's suggestion, Ranji - any luck?
Dear Dirk/Bob,
Same vpn. Tunnel establishing now but disconnects frequently.
Yes already configured DPD on both ends :
Intervel- 30sec
Retry-120 sec
Many Thanks,
Ranji, please post the IPsec log from the UTM that corresponds to the times of the PA log in your post almost 14 hours ago.
Also, show us pictures of the Edits of the IPsec Policy in both the UTM and the Palo Alto.
Dear Bob,
Please note that we could collect only strongswan.log from the sophos fw that i forwarded in my last response.
@PA Ph1:- (responder only)
Ikev1,Aes 256, sha1,group5,aggresive,keylife- 28800sec, nattraversal-no
@PA Ph2:
Sha1, aes256, no pfs,keylife-3600sec
Note: sophos has the corresponding settings (initiator)
Ranji, I've been working with IPsec logs from the UTM for almost 15 years and I don't recognize the log you posted as having been generated by a UTM. Do you have a different Sophos product like Cyberoam or XG Firewall or ???
I'm a visual-tactile learner and, when solving problems, I need to look at original data, not descriptions of it. If this is a UTM problem, please post the pictures I requested.
Kindly note the product model sophos XG108 firewall with latest firmware.