This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Im facing the issue with site to site VPN from sophos to PAlo alto. Error- calculated HASH does not match HASH payload

Dear Techs,

Kindly help:

Im facing the issue with site to site VPN from sophos to Palo alto.

Error- calculated HASH does not match HASH payload

 

here is my setup:

sophos==NAT router==Site to site tunnel==Palo alto

We dont have any control on the palo alto side.

Detailed Log:

 

2019-10-08 11:31:31 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:31 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:31:39 30[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:39 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:33:49 16[CFG] rereading secrets
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:33:49 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:38 24[CFG] rereading secrets
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:39:38 25[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:39 15[CFG] vici initiate 'IPSEC_DU-2'
2019-10-08 11:39:39 20[IKE] <IPSEC_DU-1|4> initiating Aggressive Mode IKE_SA IPSEC_DU-1[4] to XX.XX.XX.235.20
2019-10-08 11:39:39 20[ENC] <IPSEC_DU-1|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:39 20[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> received packet: from XX.XX.XX.235.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received XAuth vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received Cisco Unity vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received FRAGMENTATION vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received DPD vendor ID
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> calculated HASH does not match HASH payload
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> generating INFORMATIONAL_V1 request 90879037 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (108 bytes)
2019-10-08 11:39:40 21[CFG] vici initiate 'IPSEC_DU-1'
2019-10-08 11:39:40 17[IKE] <IPSEC_DU-1|5> initiating Aggressive Mode IKE_SA IPSEC_DU-1[5] to XX.XX.XX.235.20
2019-10-08 11:39:40 17[ENC] <IPSEC_DU-1|5> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:40 17[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> received packet: from XX.XX.XX.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received XAuth vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received Cisco Unity vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received FRAGMENTATION vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received DPD vendor ID
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> calculated HASH does not match HASH payload
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> generating INFORMATIONAL_V1 request 3750323059 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.20[500] (108 bytes)
201
2019-10-08 11:39:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:51 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (D351871F) from other side
2019-10-08 11:39:58 06[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:59 31[DMN] [GA

Thanks,

Ranjith



This thread was automatically locked due to age.
Parents
  • Seen similar with PSK mismatch already.

    Try a short, very simple PSK ... temporary.

    Some systems don't understand special characters or cut long keys.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • Seen similar with PSK mismatch already.

    Try a short, very simple PSK ... temporary.

    Some systems don't understand special characters or cut long keys.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data