This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Im facing the issue with site to site VPN from sophos to PAlo alto. Error- calculated HASH does not match HASH payload

Dear Techs,

Kindly help:

Im facing the issue with site to site VPN from sophos to Palo alto.

Error- calculated HASH does not match HASH payload

 

here is my setup:

sophos==NAT router==Site to site tunnel==Palo alto

We dont have any control on the palo alto side.

Detailed Log:

 

2019-10-08 11:31:31 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:31 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:31:39 30[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:39 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:33:49 16[CFG] rereading secrets
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:33:49 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:38 24[CFG] rereading secrets
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:39:38 25[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:39 15[CFG] vici initiate 'IPSEC_DU-2'
2019-10-08 11:39:39 20[IKE] <IPSEC_DU-1|4> initiating Aggressive Mode IKE_SA IPSEC_DU-1[4] to XX.XX.XX.235.20
2019-10-08 11:39:39 20[ENC] <IPSEC_DU-1|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:39 20[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> received packet: from XX.XX.XX.235.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received XAuth vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received Cisco Unity vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received FRAGMENTATION vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received DPD vendor ID
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> calculated HASH does not match HASH payload
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> generating INFORMATIONAL_V1 request 90879037 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (108 bytes)
2019-10-08 11:39:40 21[CFG] vici initiate 'IPSEC_DU-1'
2019-10-08 11:39:40 17[IKE] <IPSEC_DU-1|5> initiating Aggressive Mode IKE_SA IPSEC_DU-1[5] to XX.XX.XX.235.20
2019-10-08 11:39:40 17[ENC] <IPSEC_DU-1|5> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:40 17[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> received packet: from XX.XX.XX.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received XAuth vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received Cisco Unity vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received FRAGMENTATION vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received DPD vendor ID
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> calculated HASH does not match HASH payload
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> generating INFORMATIONAL_V1 request 3750323059 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.20[500] (108 bytes)
201
2019-10-08 11:39:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:51 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (D351871F) from other side
2019-10-08 11:39:58 06[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:59 31[DMN] [GA

Thanks,

Ranjith



This thread was automatically locked due to age.
Parents
  • Hala Ranjith and welcome to the UTM Community!

    I don't recognize that log format - is that from the Palo Alto device?

    I'm not familiar with the PA device, so you might also need to go to the equivalent community on their site.

    IPsec in the UTM does not accept Aggressive Mode, only Main Mode.  Once you've resolved that, if the connection still doesn't succeed, show us the IPsec log from the UTM:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Copy here about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Dirkkotte/ Bob,

    thanks for your inputs.

    however now tunnel is coming up but after some times (may 1 hour , 2 , 3 hr) tunnel going down automatically. see the logs below:


    2019-10-24 23:07:40 21[IKE] <DB_05P_TO_DU-1|20> nothing to initiate
    2019-10-24 23:07:40 04[NET] sending packet: from LOCAL IP[500] to REMOTE IP[500]
    2019-10-24 23:07:40 03[NET] received packet: from REMOTE IP[500] to LOCAL IP[500] on Port2_ppp
    2019-10-24 23:07:40 03[NET] waiting for data on sockets
    2019-10-24 23:07:40 11[NET] <DB_05P_TO_DU-1|20> received packet: from REMOTE IP[500] to LOCAL IP[500] (92 bytes)
    2019-10-24 23:07:40 11[ENC] <DB_05P_TO_DU-1|20> parsed INFORMATIONAL_V1 request 3546400854 [ HASH N(DPD_ACK) ]
    2019-10-24 23:07:40 11[IKE] <DB_05P_TO_DU-1|20> activating new tasks
    2019-10-24 23:07:40 11[IKE] <DB_05P_TO_DU-1|20> nothing to initiate
    2019-10-24 23:07:53 03[NET] received packet: from REMOTE IP[500] to LOCAL IP[500] on Port2_ppp
    2019-10-24 23:07:53 03[NET] waiting for data on sockets
    2019-10-24 23:07:53 17[NET] <DB_05P_TO_DU-1|19> received packet: from REMOTE IP[500] to LOCAL IP[500] (92 bytes)
    2019-10-24 23:07:53 17[ENC] <DB_05P_TO_DU-1|19> parsed INFORMATIONAL_V1 request 1335338711 [ HASH D ]
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> received DELETE for IKE_SA DB_05P_TO_DU-1[19]
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> deleting IKE_SA DB_05P_TO_DU-1[19] between LOCAL IP[db05p.tabreed.ae]...REMOTE IP[REMOTE IP]
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> IKE_SA DB_05P_TO_DU-1[19] state change: ESTABLISHED => DELETING
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> Found existing IKE_SA in state ESTABLISHED, skipping reestablishment.
    2019-10-24 23:07:53 17[MGR] <DB_05P_TO_DU-1|19> tried to checkin and delete nonexisting IKE_SA
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|21> IKE_SA DB_05P_TO_DU-1[21] state change: CREATED => DESTROYING
    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> IKE_SA DB_05P_TO_DU-1[19] state change: DELETING => DELETING
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [SSO] (get_cfg) [CFG] sso: 0
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [SSO] (sso_invoke_once) SSO is disabled.
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (cop_updown_invoke_once) no user identification is provided!
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (ref_counting) ref_count: 1 to 0 -- down -- (192.168.0.1/32#10.83.180.54/32)
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 2 to 1 -- down -- (LOCAL IP#REMOTE IP)
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] IPtables: 1
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] route: 1
    2019-10-24 23:07:53 17[APP] <DB_05P_TO_DU-1|19> [COP-UPDOWN] (get_cfg) [CFG] vti: 0

     I see that remote end sending delete message:

    2019-10-24 23:07:53 17[IKE] <DB_05P_TO_DU-1|19> received DELETE for IKE_SA DB_05P_TO_DU-1[19]

    Any thoughts on the above why PA sending the delete message to disconnect the tunnel (we don't have any access to remote Peer PA, not easy to get the logs as well )

    Appreciated your inputs.

    Thanks in advance,

    Ranji

  • A new/next problem?

    Do you enable/disable DPD at booth sides?

    Matches the IPSec Phase1 / Phase 2 timers at booth sides exactly?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I like Dirk's suggestion, Ranji - any luck?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • Dear Dirk/Bob,

    Same vpn. Tunnel establishing now but disconnects frequently.

    Yes already configured DPD on both ends :

    Intervel- 30sec

    Retry-120 sec

    Many Thanks,

    Ranji

  • Try to disable DPD at booth sides.

    Some IPSec implementations only send DPD packet if there is no other traffic, other implementations only check DPD for alive-status (but ignores regular traffic).

     

    PS: Sophos XG knows IKEv2 (and i think PA too). Would use IKEv2, because some features directly integrated (DPD for example) and connection should be more stable.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.