02-14-2007 01:10 AM - edited 02-21-2020 02:52 PM
Hi Gents,
I had several L2L VPN tunnels configured on ASA Firewall.(asa712-k8.bin)
It worked fine. But yesterday i had to recreate the same VPN configurations on another ASA firewall (asa721-24-k8.bin). All configuration has just been copied to the new firewall.
But it doesn't work.
Debug result on ASA.
%ASA-3-713902: Group = X.X.X.X, IP = X.X.X.X, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = X.X.X.X, IP = X.X.X.X Error: Unable to remove PeerTblEntry
Has anybody ever faced with this kind of problem?
Thanks
02-14-2007 08:35 AM
02-14-2007 08:39 AM
Hi Leo,
Did you reconfigure the pre-shared-key on the new box?
If you did not do it then you need to do it.
Regards,
Kamal
02-14-2007 09:11 AM
I did. I even tried to recreate crypto map.
I have the same error with another VPN tunnel, which also worked before.
:(
02-14-2007 09:44 AM
Hi..
You need to get the
"debug cry isa 255" and
"debug cry ipsec 255" to get the complete logs.
-Kanishka
02-14-2007 10:09 AM
02-14-2007 12:42 PM
Hi Leo,
Please check :
Feb 14 22:02:22 [IKEv1 DEBUG]: Group = 10.10.10.1, IP = 10.10.10.1, IKE MM Initiator FSM error history (struct &0x4925cb0)
Please notice : EV_PROB_AUTH_FAIL--
This indicates that the pre-shared key did not match or something is misconfigured.
Please send the configuration of both the ends and I'll respond back.
Regards,
Kamal
02-15-2007 12:48 AM
02-15-2007 02:17 AM
Hi
On your host,Do you assign the another secondary ip address to your computer ,i had this problem like you since i removed secondary ip address from network card it has been solved.
also can you send your pix configuration and asa .
Thanks.
02-15-2007 04:46 AM
02-16-2007 06:19 AM
Hi,
Are you sure the debugs from the remote site are for this tunnel. Here's what I see in the remote site debugs :
ISAKMP (0): retransmitting phase 1 (1)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.10.30.1, remote= 10.10.40.1,
local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),
remote_proxy= 10.20.101.0/255.255.255.0/0/0 (type=4)
It says the ip address of this device is 10.10.30.1 and not 10.10.10.1, as you have defined as a peer on ASA.
Also, the proxy idents are not the same as on the ASA.
Could you please double check.
HTH,
-Kanishka
02-17-2007 07:04 AM
Hello!,
Problem was solved yesterday.
Problem was with Peer IP. Not with proxy IP (I just changed the real addresses)
I had given wrong IP to all corporate clients..That is why i saw the same problem on all l2l connections.
Thanks to all!
Especially to Cisco TAC
08-24-2007 10:43 AM
Any solution on this problem ?
08-30-2007 12:18 AM
Already solved after recreating VPN.
thanks
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide