VPN Error!

Leo_Stobbe · ‎02-14-2007

Hi Gents,

I had several L2L VPN tunnels configured on ASA Firewall.(asa712-k8.bin)

It worked fine. But yesterday i had to recreate the same VPN configurations on another ASA firewall (asa721-24-k8.bin). All configuration has just been copied to the new firewall.

But it doesn't work.

Debug result on ASA.

%ASA-3-713902: Group = X.X.X.X, IP = X.X.X.X, Removing peer from peer table failed, no match!

%ASA-4-713903: Group = X.X.X.X, IP = X.X.X.X Error: Unable to remove PeerTblEntry

Has anybody ever faced with this kind of problem?

Thanks

Leo_Stobbe · ‎02-14-2007

There is also debug log.

Hope for help

Leo

Kamal Malhotra · ‎02-14-2007

Hi Leo,

Did you reconfigure the pre-shared-key on the new box?

If you did not do it then you need to do it.

Regards,

Kamal

Leo_Stobbe · ‎02-14-2007

I did. I even tried to recreate crypto map.

I have the same error with another VPN tunnel, which also worked before.

:(

kaachary · ‎02-14-2007

Hi..

You need to get the

"debug cry isa 255" and

"debug cry ipsec 255" to get the complete logs.

-Kanishka

Leo_Stobbe · ‎02-14-2007

Thanks for your quick answers.

Here it is.

Maybe this is a bug of ASA 7.2(1) ???

Regards

Leo

Kamal Malhotra · ‎02-14-2007

Hi Leo,

Please check :

Feb 14 22:02:22 [IKEv1 DEBUG]: Group = 10.10.10.1, IP = 10.10.10.1, IKE MM Initiator FSM error history (struct &0x4925cb0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT

Please notice : EV_PROB_AUTH_FAIL--

This indicates that the pre-shared key did not match or something is misconfigured.

Please send the configuration of both the ends and I'll respond back.

Regards,

Kamal

Leo_Stobbe · ‎02-15-2007

I retyped the pre-shared key.

T

here is a debug log from remote side cisco pix.

My debug log i had already sent you.

thanks

Leo

mrmozaffari · ‎02-15-2007

Hi

On your host,Do you assign the another secondary ip address to your computer ,i had this problem like you since i removed secondary ip address from network card it has been solved.

also can you send your pix configuration and asa .

Thanks.

Leo_Stobbe · ‎02-15-2007

No i didn't assign any secondary IP address to Host.

I just recreated the working config on another ASA5520.

Today i tried with IOS Asa 7.1(2), even cleared

all configuration and reconfigured again...

Nothing changed.

kaachary · ‎02-16-2007

Hi,

Are you sure the debugs from the remote site are for this tunnel. Here's what I see in the remote site debugs :

ISAKMP (0): retransmitting phase 1 (1)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.30.1, remote= 10.10.40.1,

local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),

remote_proxy= 10.20.101.0/255.255.255.0/0/0 (type=4)

It says the ip address of this device is 10.10.30.1 and not 10.10.10.1, as you have defined as a peer on ASA.

Also, the proxy idents are not the same as on the ASA.

Could you please double check.

HTH,

-Kanishka

Leo_Stobbe · ‎02-17-2007

Hello!,

Problem was solved yesterday.

Problem was with Peer IP. Not with proxy IP (I just changed the real addresses)

I had given wrong IP to all corporate clients..That is why i saw the same problem on all l2l connections.

Thanks to all!

Especially to Cisco TAC

saleem · ‎08-24-2007

Any solution on this problem ?

Leo_Stobbe · ‎08-30-2007

Already solved after recreating VPN.

thanks

Leo