Site to Site VPN Problem

Unanswered Question
May 4th, 2007
User Badges:

I am trying to create a dynamic VPN tunnel with a Cisco ASA 5505 and a Symantec Gateway Security 460R device and having major issues. I can successfully establish a PHASE I connection, but when it gets to PHASE 2, I get the following error on the Cisco ASA device:

AAA retrieved default group policy (DfltGrpPolicy) for user = 24.249.107.28


Group = 24.249.107.28, IP = 24.249.107.28, PHASE 1 COMPLETED


Group = 24.249.107.28, IP = 24.249.107.28, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.4.167.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside


Group = 24.249.107.28, IP = 24.249.107.28, QM FSM error (P2 struct &0x398ed38, mess id 0x4573604d)!


Group = 24.249.107.28, IP = 24.249.107.28, Removing peer from correlator table failed, no match!


Group = 24.249.107.28, Username = 24.249.107.28, IP = 24.249.107.28, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found


10.4.167.0 is the remote subnet (Symantec Device), so the Cisco ASA sees the remote network, but is failing and disconnecting during PHASE 2 negotiations. I have set up everything on both devices to match (SA, Phrase Key, etc...), but I still get these errors. Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 05/04/2007 - 11:24
User Badges:
  • Green, 3000 points or more

Can you post ASA config? Most likely a problem with your crypto acl.

Actions

This Discussion