This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INVALID_MAJOR_VERSION Cisco VPN client for iOS

Daer all,

We are facing a problem with error INVALID_MAJOR_VERSION:

2022:02:28-14:57:36 xxx pluto[6663]: packet from 151.0.0.0:22018: ISAKMP version of ISAKMP Message has an unknown value: 249
2022:02:28-14:57:36 xxx pluto[6663]: packet from 151.0.0.0:22018: sending notification INVALID_MAJOR_VERSION to 151.0.0.0:22018

2022:02:28-14:57:36 xxx pluto[6663]: | **emit ISAKMP Message:
2022:02:28-14:57:36 xxx pluto[6663]: | initiator cookie:
2022:02:28-14:57:36 xxx pluto[6663]: | 00 00 00 00 3b 72 e9 17
2022:02:28-14:57:36 xxx pluto[6663]: | responder cookie:
2022:02:28-14:57:36 xxx pluto[6663]: | c5 e1 de 8c aa 12 fc a4
2022:02:28-14:57:36 xxx pluto[6663]: | next payload type: ISAKMP_NEXT_N
2022:02:28-14:57:36 xxx pluto[6663]: | ISAKMP version: ISAKMP Version 1.0
2022:02:28-14:57:36 xxx pluto[6663]: | exchange type: ISAKMP_XCHG_INFO
2022:02:28-14:57:36 xxx pluto[6663]: | flags: none
2022:02:28-14:57:36 xxx pluto[6663]: | message ID: 00 00 00 00
2022:02:28-14:57:36 xxx pluto[6663]: | ***emit ISAKMP Notification Payload:
2022:02:28-14:57:36 xxx pluto[6663]: | next payload type: ISAKMP_NEXT_NONE
2022:02:28-14:57:36 xxx pluto[6663]: | DOI: ISAKMP_DOI_IPSEC
2022:02:28-14:57:36 xxx pluto[6663]: | protocol ID: 1
2022:02:28-14:57:36 xxx pluto[6663]: | SPI size: 0
2022:02:28-14:57:36 xxx pluto[6663]: | Notify Message Type: INVALID_MAJOR_VERSION
2022:02:28-14:57:36 xxx pluto[6663]: | emitting 0 raw bytes of spi into ISAKMP Notification Payload
2022:02:28-14:57:36 xxx pluto[6663]: | spi
2022:02:28-14:57:36 xxx pluto[6663]: | emitting length of ISAKMP Notification Payload: 12
2022:02:28-14:57:36 xxx pluto[6663]: | emitting length of ISAKMP Message: 40
2022:02:28-14:57:36 xxx pluto[6663]: | next event EVENT_RETRANSMIT in 1 seconds for #73

WE have upgraded to the last version Sophos UTM 9.709-3 and we are using diferent versions of iOS - 12.5.5 to 15.3.1 with native client. All certificates are up-to-date.

Loks like handshake does notwork and we have on the device error: Notification with the VPN server failed.



This thread was automatically locked due to age.
Parents
  • Notify Message Type: INVALID_MAJOR_VERSION

    These are usually IKEv(x) version mismatch errors (v1 vs v2), or the pre-shared key is not matching on both sides.  You probably need to check your client and host to make sure they are matching.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Yes, It is clear,

    I do not have pre-shared key, I have certificates for individual client certficate authentification for each user.

    Tthe problem is that on the client wich is iOS native client I can't check nothing, just install config profile from UTM selfservice profile. How to check on server side or how I can change/configure on the server IKEv(x) versions, just to test it.

    I have config debug logging but cant get nothing in details.

    Many thanks,

    KIril

  • Zdravey Kiril,

    I've never seen a problem solved here by having debug enabled.  Please try the following:

         1. Confirm that Debug is not enabled.
         2. Disable the Cisco VPN Server.
         3. Start the IPsec Live Log and wait for it to begin to populate.
         4. Enable the Cisco VPN Server.
         5. Try to connect from iOS.
         6. Copy here about 60 lines from the connection attempt through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, Very unlikely and unexpected the main high availability router cluster had a bad behavior and it causes mismatch of handshake of client certificate authentication not only to Ipsec VPN in UTM, because of documented issue of the current version. After urgent upgrade everything is fine.

    Best regards,
    Kiril

Reply
  • Hi Bob, Very unlikely and unexpected the main high availability router cluster had a bad behavior and it causes mismatch of handshake of client certificate authentication not only to Ipsec VPN in UTM, because of documented issue of the current version. After urgent upgrade everything is fine.

    Best regards,
    Kiril

Children
No Data