Site to Site VPN Problem

Pwcjayhawk1 · ‎05-04-2007

I am trying to create a dynamic VPN tunnel with a Cisco ASA 5505 and a Symantec Gateway Security 460R device and having major issues. I can successfully establish a PHASE I connection, but when it gets to PHASE 2, I get the following error on the Cisco ASA device:

AAA retrieved default group policy (DfltGrpPolicy) for user = 24.249.107.28

Group = 24.249.107.28, IP = 24.249.107.28, PHASE 1 COMPLETED

Group = 24.249.107.28, IP = 24.249.107.28, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.4.167.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside

Group = 24.249.107.28, IP = 24.249.107.28, QM FSM error (P2 struct &0x398ed38, mess id 0x4573604d)!

Group = 24.249.107.28, IP = 24.249.107.28, Removing peer from correlator table failed, no match!

Group = 24.249.107.28, Username = 24.249.107.28, IP = 24.249.107.28, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

10.4.167.0 is the remote subnet (Symantec Device), so the Cisco ASA sees the remote network, but is failing and disconnecting during PHASE 2 negotiations. I have set up everything on both devices to match (SA, Phrase Key, etc...), but I still get these errors. Any ideas?

acomiskey · ‎05-04-2007

Can you post ASA config? Most likely a problem with your crypto acl.

Pwcjayhawk1 · ‎05-04-2007

The ASA config is in the attached text file.