IOS to ASA L2L VPN Tunnel, Unable to remove PeerTblEntry

Unanswered Question
Feb 21st, 2007

I'm trying to establish a L2L VPN tunnel between an IOS Router and a PIX 515E running Software Version 7.2(1)...

I keep getting this in the logs:

Feb 21 18:24:12 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!

Feb 21 18:24:12 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

I'm not sure how to troubleshoot this.

Any ideas before I open a TAC case?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 02/21/2007 - 10:45

What's the deal with "interface inside" here...

access-list outside_20_cryptomap extended permit ip object-group ageon-ip-range interface inside

access-list inside_nat0_outbound extended permit ip object-group ageon-ip-range interface inside

xephael Wed, 02/21/2007 - 10:54

I'm pretty sure it's what ASDM put in.

Basically it was supposed to allow their IP range to be tunneled to the inside interface.

acomiskey Wed, 02/21/2007 - 11:03

If ageon-ip-range is the remote network then pretty sure you want

access-list outside_20_cryptomap extended permit ip object-group ageon-ip-range

access-list inside_nat0_outbound extended permit ip object-group ageon-ip-range

xephael Wed, 02/21/2007 - 11:15

Alright, I changed that. It now reads:

access-list outside_20_cryptomap extended permit ip interface inside object-group ageon-ip-range

access-list inside_nat0_outbound extended permit ip interface inside object-group ageon-ip-range

But I get the same error.

acomiskey Wed, 02/21/2007 - 11:18

Those statements define interesting traffic and exempt nat to outside. I assume ageon-ip-range is the remote network you want access to. What network on inside do you want to have access from? Replace "interface inside" with that network. Unless of course you only want the inside of your pix to be part of the l2l tunnel.

Is your topology like this?

-----pix----internet----router----

xephael Wed, 02/21/2007 - 11:27

Yes that's what the topology is like.

I'm using "interface inside" since we utilize OSPF to define our network.

I'm not so concerned with actually having the tunnel work. I just want it to come up, and I don't understand that error or how to troubleshoot the phase 1 negotiation error.

Actions

This Discussion