03-07-2007 02:47 AM
Hi,
Below is my network setup
VPN Router
Site 2
------
|
|(Internet Cloud)
|
Site 1
------
InternetRouter
|
|
Firewall---->DMZ
|
|
LANSwitching
|
PC
----------------------------------------
Below is the configuration in the ASA at site-1
sh run
ASA Version 7.1(2)
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 124.x.x.177 255.255.255.248
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.200.251 255.255.255.0
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 192.168.16.1 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
access-list 112 extended permit tcp host 194.117.106.129 host 124.30.88.117
access-list Outside_cryptomap_20 extended permit ip host 192.168.200.204 host 194.117.106.129
icmp permit any Outside
icmp permit any Inside
icmp permit any DMZ
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (Inside) 0 192.168.200.0 255.255.255.0
static (DMZ,Outside) 124.30.88.115 Mailserver netmask 255.255.255.255
static (DMZ,Outside) 124.30.88.114 vfortress netmask 255.255.255.255
static (Inside,DMZ) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
static (Inside,Outside) 192.168.200.0 192.168.200.0 netmask 255.255.255.0
static (Inside,Outside) 124.30.88.117 192.168.200.204 netmask 255.255.255.255
access-group 112 in interface Outside
access-group 113 in interface DMZ
route Outside 0.0.0.0 0.0.0.0 124.30.88.179 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer 194.39.131.167
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 20 set security-association lifetime seconds 7200
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group "SAP TUNNEL" type ipsec-l2l
tunnel-group "SAP TUNNEL" ipsec-attributes
pre-shared-key *
----------------------------------
I have configured the VPN as above, but when i try to do a ping from the SAP Internal server(192.168.200.204) to the remote site server(194.117.106.129),I find the below mentioned error during the debug crypto isakmp and ipsec.
"isakmp Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Removing peer from peer table failed, no match!
Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Error: Unable to remove PeerTblEntry".
Could you please let me know where could be the problem.
Thanks & Regards,
Jithesh
03-07-2007 02:51 AM
Jithesh,
It would be hard to comment since we do not have the config from the other end.
If you could post that and the complete debugs, we can check it and will let you know.
-Kanishka
03-07-2007 03:43 AM
Hi,
Unfortunaly the site in the remote end are not providing those details, but when we cordinate with them they says that the first phase handshake is not happening.As well during debugging from my end i get the below error message.
isakmp Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Removing peer from peer table failed, no match!
Mar 07 00:56:45 [IKEv1]: IP = 194.39.131.167, Error: Unable to remove PeerTblEntry
Which all parameters can i double check from my end before going for more details from the remote end.
regards,
Jithesh
03-07-2007 04:49 AM
Hi,
I was also able to get the below output from the remote end firewall.
#show crypto isakmp sa
194.39.131.167 124.30.88.177 MM_NO_STATE 332 0 (deleted)
194.39.131.167 124.30.88.177 MM_SA_SETUP 347 0
194.39.131.167 124.30.88.177 MM_NO_STATE 330 0 (deleted)
194.39.131.167 124.30.88.177 MM_NO_STATE 312 0 (deleted)
194.39.131.167 124.30.88.177 MM_SA_SETUP 340 0
194.39.131.167 124.30.88.177 MM_NO_STATE 324 0 (deleted)
194.39.131.167 124.30.88.177 MM_SA_SETUP 358 0
194.39.131.167 124.30.88.177 MM_NO_STATE 307 0 (deleted)
194.39.131.167 124.30.88.177 MM_SA_SETUP 334 0
194.39.131.167 124.30.88.177 MM_SA_SETUP 354 0
194.39.131.167 124.30.88.177 MM_NO_STATE 327 0 (deleted)
194.39.131.167 124.30.88.177 MM_NO_STATE 320 0 (deleted)
194.39.131.167 124.30.88.177 MM_NO_STATE 316 0 (deleted)
194.39.131.167 124.30.88.177 MM_SA_SETUP 337 0
194.39.131.167 124.30.88.177 MM_SA_SETUP 343 0
regards,
JIthesh
03-07-2007 04:57 AM
Hi Jithesh,
Turn on the debugging to full severity level :
debug cry isa 255
debug cry ipsec 255
Send the Output.
-Kanishka
03-19-2007 03:57 AM
03-21-2007 03:28 AM
Since the state has been stopped at MM_WAIT_MSG2, i suspect the problem could be with wrong preshared key or cryto map statements....key should be similar on both sides and crypto map statements should be perfect...please provide sh log output or configuration of both routers/switches to troubleshoot it...
03-23-2007 03:35 AM
Hi Rajkumar,
Am planning upgrade the ios to 7.2.2 of ASA, as i can find lots of bugs pertaining to vpn bugs in ASA 7.1.2.Hopefully that should lead me to the results.
regards.
Jithesh
04-15-2007 10:35 PM
Hi,
Any result after upgrade ASA firmware? because i have same problem with the ASA 7.2.1 version, the L2L tunnel is run for few months without any problem, after that get the same error message and can't form the L2L tunnel.
07-11-2007 08:45 PM
Hi All,
This issue has got resolved.
The problem here was that the public IP assigned to the outside interface of the ASA was not published in the Internet.After speaking to the ISP, now its working fine.
Thanks to all.
regards..Jithesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide