This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Im facing the issue with site to site VPN from sophos to PAlo alto. Error- calculated HASH does not match HASH payload

Dear Techs,

Kindly help:

Im facing the issue with site to site VPN from sophos to Palo alto.

Error- calculated HASH does not match HASH payload

 

here is my setup:

sophos==NAT router==Site to site tunnel==Palo alto

We dont have any control on the palo alto side.

Detailed Log:

 

2019-10-08 11:31:31 11[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:31 12[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:31:39 30[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DA0DBA3A) from other side
2019-10-08 11:31:39 16[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (B450165E) from other side
2019-10-08 11:33:49 16[CFG] rereading secrets
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:33:49 16[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:33:49 16[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:33:49 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:38 24[CFG] rereading secrets
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2019-10-08 11:39:38 24[CFG] loading secrets from '/_conf/ipsec/connections/IPSEC_DU.secrets'
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for 192.168.2.93 XX.XX.XX.235.20
2019-10-08 11:39:38 24[CFG]   loaded IKE secret for ad09m.XX.XX.XX.ae XX.XX.XX.235.20
2019-10-08 11:39:38 25[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2019-10-08 11:39:39 15[CFG] vici initiate 'IPSEC_DU-2'
2019-10-08 11:39:39 20[IKE] <IPSEC_DU-1|4> initiating Aggressive Mode IKE_SA IPSEC_DU-1[4] to XX.XX.XX.235.20
2019-10-08 11:39:39 20[ENC] <IPSEC_DU-1|4> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:39 20[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> received packet: from XX.XX.XX.235.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received XAuth vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received Cisco Unity vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received FRAGMENTATION vendor ID
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> received DPD vendor ID
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:39 27[IKE] <IPSEC_DU-1|4> calculated HASH does not match HASH payload
2019-10-08 11:39:39 27[ENC] <IPSEC_DU-1|4> generating INFORMATIONAL_V1 request 90879037 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:39 27[NET] <IPSEC_DU-1|4> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (108 bytes)
2019-10-08 11:39:40 21[CFG] vici initiate 'IPSEC_DU-1'
2019-10-08 11:39:40 17[IKE] <IPSEC_DU-1|5> initiating Aggressive Mode IKE_SA IPSEC_DU-1[5] to XX.XX.XX.235.20
2019-10-08 11:39:40 17[ENC] <IPSEC_DU-1|5> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
2019-10-08 11:39:40 17[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.235.20[500] (516 bytes)
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> received packet: from XX.XX.XX.20[500] to 192.168.2.93[500] (444 bytes)
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V ]
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received XAuth vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received Cisco Unity vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received FRAGMENTATION vendor ID
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> received DPD vendor ID
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> received unknown vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
2019-10-08 11:39:40 25[IKE] <IPSEC_DU-1|5> calculated HASH does not match HASH payload
2019-10-08 11:39:40 25[ENC] <IPSEC_DU-1|5> generating INFORMATIONAL_V1 request 3750323059 [ HASH N(AUTH_FAILED) ]
2019-10-08 11:39:40 25[NET] <IPSEC_DU-1|5> sending packet: from 192.168.2.93[500] to XX.XX.XX.20[500] (108 bytes)
201
2019-10-08 11:39:50 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:51 15[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (D351871F) from other side
2019-10-08 11:39:58 06[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (DAA36114) from other side
2019-10-08 11:39:59 31[DMN] [GA

Thanks,

Ranjith



This thread was automatically locked due to age.
  • Ah-hah!  This is the UTM Community, Ranji.  Please join the XG Firewall Community and then one of us moderators will be able to move your thread there where you will get more eyes on this issue from people better versed in XG.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Try to disable DPD at booth sides.

    Some IPSec implementations only send DPD packet if there is no other traffic, other implementations only check DPD for alive-status (but ignores regular traffic).

     

    PS: Sophos XG knows IKEv2 (and i think PA too). Would use IKEv2, because some features directly integrated (DPD for example) and connection should be more stable.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.