5 Replies Latest reply on May 28, 2014 3:18 PM by marlonmv

    VPN site to site MFE and Cisco

    marlonmv

      Hi, I'm trying a vpn site to site between a MFE 8.3.1 and a cisco asa, but when it's tying to enter in phase 2, it shows the following error:

       

      [detailed info]   [error]     QUICK_MODE exchange terminated - QUICK_MODE exchange processing failed  [error]     Failed to validate QUICK mode payloads  [error]     policy mismatch    [remote proposal]         protocol: ESP        spi(4): |bdeb33cb|          protocol: ESP, version: 1, encryption: AES:256, integ: SHA1, ESN: OFF,           encapsulation: TUNNEL    [local policy]       protocol: ESP, zone: 1, options: [ESN], version: 1, encryption: AES:256,       integ: SHA1, ESN: ON, encapsulation: TUNNEL

       

       

      Any idea??

        • 1. Re: VPN site to site MFE and Cisco
          marlonmv

          also had this error

           

          [detailed info]   [error]     MAIN_MODE exchange terminated - IPsec exchange error threshold exceeded

          • 2. Re: VPN site to site MFE and Cisco
            sliedl

            [detailed info]   [error]     QUICK_MODE exchange terminated - QUICK_MODE exchange processing failed 

            [error]     Failed to validate QUICK mode payloads 

            [error]     policy mismatch   

            [remote proposal]  protocol: ESP spi(4): |bdeb33cb| protocol: ESP, version: 1, encryption: AES:256, integ: SHA1, ESN: OFF,  encapsulation: TUNNEL   

            [local policy]       protocol: ESP, zone: 1, options: [ESN], version: 1, encryption: AES:256,       integ: SHA1, ESN: ON, encapsulation: TUNNEL

             

            (The difference in the outputs is bolded and underlined)

             

            I believe ESN means "Extended sequence numbers".  On the McAfee firewall this is ON and I believe there is a way to turn it off via the GUI.  You could also try turning it ON via the Cisco side and the tunnel should connect.

            • 3. Re: VPN site to site MFE and Cisco
              marlonmv

              ok, i turn it off, and now i have this error

               

              [detailed info]   [error]     QUICK_MODE exchange processing failed  [error]     invalid request for QUICK_MODE exchange, no IKE SA exists which matches request

               

              Thanks for all the help

              • 4. Re: VPN site to site MFE and Cisco
                sliedl

                "Quick Mode" is for phase 2.  The error "invalid request for QUICK_MODE exchange, no IKE SA exists which matches request" means that there is no phase 1 Security Association (IKE SA) for this phase 2 packet.  This means the other side of the tunnel has a phase 1 SA already and is trying to do phase 2.  Restart the tunnel on the far side and they should start the IPSec process over.

                • 5. Re: VPN site to site MFE and Cisco
                  marlonmv

                  I restart my MFE and it work, thans