We are facing a problem with error INVALID_MAJOR_VERSION:
2022:02:28-14:57:36 xxx pluto: packet from 18.104.22.168:22018: ISAKMP version of ISAKMP Message has an unknown value: 2492022:02:28-14:57:36 xxx pluto: packet from 22.214.171.124:22018: sending notification INVALID_MAJOR_VERSION to 126.96.36.199:22018
2022:02:28-14:57:36 xxx pluto: | **emit ISAKMP Message:2022:02:28-14:57:36 xxx pluto: | initiator cookie:2022:02:28-14:57:36 xxx pluto: | 00 00 00 00 3b 72 e9 172022:02:28-14:57:36 xxx pluto: | responder cookie:2022:02:28-14:57:36 xxx pluto: | c5 e1 de 8c aa 12 fc a42022:02:28-14:57:36 xxx pluto: | next payload type: ISAKMP_NEXT_N2022:02:28-14:57:36 xxx pluto: | ISAKMP version: ISAKMP Version 1.02022:02:28-14:57:36 xxx pluto: | exchange type: ISAKMP_XCHG_INFO2022:02:28-14:57:36 xxx pluto: | flags: none2022:02:28-14:57:36 xxx pluto: | message ID: 00 00 00 002022:02:28-14:57:36 xxx pluto: | ***emit ISAKMP Notification Payload:2022:02:28-14:57:36 xxx pluto: | next payload type: ISAKMP_NEXT_NONE2022:02:28-14:57:36 xxx pluto: | DOI: ISAKMP_DOI_IPSEC2022:02:28-14:57:36 xxx pluto: | protocol ID: 12022:02:28-14:57:36 xxx pluto: | SPI size: 02022:02:28-14:57:36 xxx pluto: | Notify Message Type: INVALID_MAJOR_VERSION2022:02:28-14:57:36 xxx pluto: | emitting 0 raw bytes of spi into ISAKMP Notification Payload2022:02:28-14:57:36 xxx pluto: | spi2022:02:28-14:57:36 xxx pluto: | emitting length of ISAKMP Notification Payload: 122022:02:28-14:57:36 xxx pluto: | emitting length of ISAKMP Message: 402022:02:28-14:57:36 xxx pluto: | next event EVENT_RETRANSMIT in 1 seconds for #73
WE have upgraded to the last version Sophos UTM 9.709-3 and we are using diferent versions of iOS - 12.5.5 to 15.3.1 with native client. All certificates are up-to-date.
Loks like handshake does notwork and we have on the device error: Notification with the VPN server failed.
LirikVeigroeg said:Notify Message Type: INVALID_MAJOR_VERSION
These are usually IKEv(x) version mismatch errors (v1 vs v2), or the pre-shared key is not matching on both sides. You probably need to check your client and host to make sure they are matching.
UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5
Yes, It is clear,
I do not have pre-shared key, I have certificates for individual client certficate authentification for each user.
Tthe problem is that on the client wich is iOS native client I can't check nothing, just install config profile from UTM selfservice profile. How to check on server side or how I can change/configure on the server IKEv(x) versions, just to test it.
I have config debug logging but cant get nothing in details.
I've never seen a problem solved here by having debug enabled. Please try the following:
1. Confirm that Debug is not enabled. 2. Disable the Cisco VPN Server. 3. Start the IPsec Live Log and wait for it to begin to populate. 4. Enable the Cisco VPN Server. 5. Try to connect from iOS. 6. Copy here about 60 lines from the connection attempt through the error.
Cheers - Bob
Hi Bob, Very unlikely and unexpected the main high availability router cluster had a bad behavior and it causes mismatch of handshake of client certificate authentication not only to Ipsec VPN in UTM, because of documented issue of the current version. After urgent upgrade everything is fine.Best regards,Kiril