Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
6
Replies

IOS to ASA L2L VPN Tunnel, Unable to remove PeerTblEntry

xephael
Level 1
Level 1

‎02-21-2007 10:39 AM - edited ‎03-11-2019 02:36 AM

I'm trying to establish a L2L VPN tunnel between an IOS Router and a PIX 515E running Software Version 7.2(1)...

I keep getting this in the logs:

Feb 21 18:24:12 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!

Feb 21 18:24:12 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

I'm not sure how to troubleshoot this.

Any ideas before I open a TAC case?

Labels:
Preview file
10 KB
0 Helpful
6 Replies 6

acomiskey
Level 10
Level 10

‎02-21-2007 10:45 AM

What's the deal with "interface inside" here...

access-list outside_20_cryptomap extended permit ip object-group ageon-ip-range interface inside

access-list inside_nat0_outbound extended permit ip object-group ageon-ip-range interface inside

0 Helpful

xephael
Level 1
Level 1
In response to acomiskey

‎02-21-2007 10:54 AM

I'm pretty sure it's what ASDM put in.

Basically it was supposed to allow their IP range to be tunneled to the inside interface.

0 Helpful

acomiskey
Level 10
Level 10
In response to xephael

‎02-21-2007 11:03 AM

If ageon-ip-range is the remote network then pretty sure you want

access-list outside_20_cryptomap extended permit ip object-group ageon-ip-range

access-list inside_nat0_outbound extended permit ip object-group ageon-ip-range

0 Helpful

xephael
Level 1
Level 1
In response to acomiskey

‎02-21-2007 11:15 AM

Alright, I changed that. It now reads:

access-list outside_20_cryptomap extended permit ip interface inside object-group ageon-ip-range

access-list inside_nat0_outbound extended permit ip interface inside object-group ageon-ip-range

But I get the same error.

0 Helpful

acomiskey
Level 10
Level 10
In response to xephael

‎02-21-2007 11:18 AM

Those statements define interesting traffic and exempt nat to outside. I assume ageon-ip-range is the remote network you want access to. What network on inside do you want to have access from? Replace "interface inside" with that network. Unless of course you only want the inside of your pix to be part of the l2l tunnel.

Is your topology like this?

-----pix----internet----router----

0 Helpful

xephael
Level 1
Level 1
In response to acomiskey

‎02-21-2007 11:27 AM

Yes that's what the topology is like.

I'm using "interface inside" since we utilize OSPF to define our network.

I'm not so concerned with actually having the tunnel work. I just want it to come up, and I don't understand that error or how to troubleshoot the phase 1 negotiation error.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card