Unanswered Question
Mar 7th, 2007


Below is my network setup

VPN Router

Site 2



|(Internet Cloud)


Site 1












Below is the configuration in the ASA at site-1

sh run

ASA Version 7.1(2)

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 124.x.x.177

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address

interface GigabitEthernet0/3


no nameif

no security-level

no ip address

access-list 112 extended permit tcp host host

access-list Outside_cryptomap_20 extended permit ip host host

icmp permit any Outside

icmp permit any Inside

icmp permit any DMZ

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

nat (Inside) 0

static (DMZ,Outside) Mailserver netmask

static (DMZ,Outside) vfortress netmask

static (Inside,DMZ) netmask

static (Inside,Outside) netmask

static (Inside,Outside) netmask

access-group 112 in interface Outside

access-group 113 in interface DMZ

route Outside 1

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set peer

crypto map Outside_map 20 set transform-set ESP-3DES-MD5

crypto map Outside_map 20 set security-association lifetime seconds 7200

crypto map Outside_map interface Outside

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group "SAP TUNNEL" type ipsec-l2l

tunnel-group "SAP TUNNEL" ipsec-attributes

pre-shared-key *


I have configured the VPN as above, but when i try to do a ping from the SAP Internal server( to the remote site server(,I find the below mentioned error during the debug crypto isakmp and ipsec.

"isakmp Mar 07 00:56:45 [IKEv1]: IP =, Removing peer from peer table failed, no match!

Mar 07 00:56:45 [IKEv1]: IP =, Error: Unable to remove PeerTblEntry".

Could you please let me know where could be the problem.

Thanks & Regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Wed, 03/07/2007 - 02:51


It would be hard to comment since we do not have the config from the other end.

If you could post that and the complete debugs, we can check it and will let you know.


Manjunatha Jayaram Wed, 03/07/2007 - 03:43


Unfortunaly the site in the remote end are not providing those details, but when we cordinate with them they says that the first phase handshake is not happening.As well during debugging from my end i get the below error message.

isakmp Mar 07 00:56:45 [IKEv1]: IP =, Removing peer from peer table failed, no match!

Mar 07 00:56:45 [IKEv1]: IP =, Error: Unable to remove PeerTblEntry

Which all parameters can i double check from my end before going for more details from the remote end.



Manjunatha Jayaram Wed, 03/07/2007 - 04:49


I was also able to get the below output from the remote end firewall.

#show crypto isakmp sa MM_NO_STATE 332 0 (deleted) MM_SA_SETUP 347 0 MM_NO_STATE 330 0 (deleted) MM_NO_STATE 312 0 (deleted) MM_SA_SETUP 340 0 MM_NO_STATE 324 0 (deleted) MM_SA_SETUP 358 0 MM_NO_STATE 307 0 (deleted) MM_SA_SETUP 334 0 MM_SA_SETUP 354 0 MM_NO_STATE 327 0 (deleted) MM_NO_STATE 320 0 (deleted) MM_NO_STATE 316 0 (deleted) MM_SA_SETUP 337 0 MM_SA_SETUP 343 0



kaachary Wed, 03/07/2007 - 04:57

Hi Jithesh,

Turn on the debugging to full severity level :

debug cry isa 255

debug cry ipsec 255

Send the Output.


Manjunatha Jayaram Mon, 03/19/2007 - 03:57

Hi Kanishhka,

I have the debugs done for isakmp attached.I was also able to get the below message as the state of the SA.

1 IKE Peer:

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Please suggest on what could be the problem.



rajkumar_sanapal Wed, 03/21/2007 - 03:28

Since the state has been stopped at MM_WAIT_MSG2, i suspect the problem could be with wrong preshared key or cryto map statements....key should be similar on both sides and crypto map statements should be perfect...please provide sh log output or configuration of both routers/switches to troubleshoot it...

Manjunatha Jayaram Fri, 03/23/2007 - 03:35

Hi Rajkumar,

Am planning upgrade the ios to 7.2.2 of ASA, as i can find lots of bugs pertaining to vpn bugs in ASA 7.1.2.Hopefully that should lead me to the results.



chenyokechuan Sun, 04/15/2007 - 22:35


Any result after upgrade ASA firmware? because i have same problem with the ASA 7.2.1 version, the L2L tunnel is run for few months without any problem, after that get the same error message and can't form the L2L tunnel.

Manjunatha Jayaram Wed, 07/11/2007 - 20:45

Hi All,

This issue has got resolved.

The problem here was that the public IP assigned to the outside interface of the ASA was not published in the Internet.After speaking to the ISP, now its working fine.

Thanks to all.



This Discussion