VPN Error!

Unanswered Question
Feb 14th, 2007

Hi Gents,

I had several L2L VPN tunnels configured on ASA Firewall.(asa712-k8.bin)

It worked fine. But yesterday i had to recreate the same VPN configurations on another ASA firewall (asa721-24-k8.bin). All configuration has just been copied to the new firewall.

But it doesn't work.

Debug result on ASA.

%ASA-3-713902: Group = X.X.X.X, IP = X.X.X.X, Removing peer from peer table failed, no match!

%ASA-4-713903: Group = X.X.X.X, IP = X.X.X.X Error: Unable to remove PeerTblEntry

Has anybody ever faced with this kind of problem?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Wed, 02/14/2007 - 08:39

Hi Leo,

Did you reconfigure the pre-shared-key on the new box?

If you did not do it then you need to do it.

Regards,

Kamal

Leo_Stobbe Wed, 02/14/2007 - 09:11

I did. I even tried to recreate crypto map.

I have the same error with another VPN tunnel, which also worked before.

:(

kaachary Wed, 02/14/2007 - 09:44

Hi..

You need to get the

"debug cry isa 255" and

"debug cry ipsec 255" to get the complete logs.

-Kanishka

Kamal Malhotra Wed, 02/14/2007 - 12:42

Hi Leo,

Please check :

Feb 14 22:02:22 [IKEv1 DEBUG]: Group = 10.10.10.1, IP = 10.10.10.1, IKE MM Initiator FSM error history (struct &0x4925cb0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT

Please notice : EV_PROB_AUTH_FAIL--

This indicates that the pre-shared key did not match or something is misconfigured.

Please send the configuration of both the ends and I'll respond back.

Regards,

Kamal

mrmozaffari Thu, 02/15/2007 - 02:17

Hi

On your host,Do you assign the another secondary ip address to your computer ,i had this problem like you since i removed secondary ip address from network card it has been solved.

also can you send your pix configuration and asa .

Thanks.

Leo_Stobbe Thu, 02/15/2007 - 04:46

No i didn't assign any secondary IP address to Host.

I just recreated the working config on another ASA5520.

Today i tried with IOS Asa 7.1(2), even cleared

all configuration and reconfigured again...

Nothing changed.

Attachment: 
kaachary Fri, 02/16/2007 - 06:19

Hi,

Are you sure the debugs from the remote site are for this tunnel. Here's what I see in the remote site debugs :

ISAKMP (0): retransmitting phase 1 (1)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.30.1, remote= 10.10.40.1,

local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),

remote_proxy= 10.20.101.0/255.255.255.0/0/0 (type=4)

It says the ip address of this device is 10.10.30.1 and not 10.10.10.1, as you have defined as a peer on ASA.

Also, the proxy idents are not the same as on the ASA.

Could you please double check.

HTH,

-Kanishka

Leo_Stobbe Sat, 02/17/2007 - 07:04

Hello!,

Problem was solved yesterday.

Problem was with Peer IP. Not with proxy IP (I just changed the real addresses)

I had given wrong IP to all corporate clients..That is why i saw the same problem on all l2l connections.

Thanks to all!

Especially to Cisco TAC

Actions

This Discussion