Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
5
Helpful
9
Replies

Site To Site VPN

adcorbett_2
Level 1
Level 1

‎06-06-2008 05:06 AM - edited ‎03-11-2019 05:56 AM

Hello - I have a PIX 515 (v 7.2) and a ASA 5520. I have a VPN tunnel built between the 2 but I can not get them to connect. All I get are these messages:

Jun 06 08:43:13 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Jun 06 08:43:46 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!

I can ping x.x.x.x from within the 515.

The ASA is replacing a PIX 501. The tunnel between the 515 and the 501 works fine, just not with the ASA. I can post configs if needed. Any help would be great.

Labels:
0 Helpful
9 Replies 9

husycisco
Level 7
Level 7

‎06-06-2008 05:10 AM

Hi Andy

Please attach sanitized configs of both devices (515 and the config on ASA, not 501)

Most probably the tunnel-group statement is lost on ASA since it needs to have the tunnel-group name same as remote peer IP unlike old IOSes.

Regards

0 Helpful

adcorbett_2
Level 1
Level 1
In response to husycisco

‎06-06-2008 05:54 AM

Here are the configs - I think you may be right about the names. My predecessor used the IP of the opposite device as the tunnel name so each was different. Let me know if there is anything else I may be missing here, and thank you!

Preview file
10 KB
0 Helpful

Amadou TOURE
Level 1
Level 1
In response to adcorbett_2

‎06-06-2008 06:24 AM

Hi

I want to ensure that you have the config below if not could you do it accordingly ?

Pix 515

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

where x.x.x.x is the IP of ASA peer

ASA

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

where y.y.y.y is the IP of PIX peer

0 Helpful

adcorbett_2
Level 1
Level 1
In response to Amadou TOURE

‎06-06-2008 06:30 AM

Yes that is correct - X is the IP of the ASA and Y is the IP of the PIX

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to adcorbett_2

‎06-06-2008 06:34 AM

I didn't see on the ASA the command

crypto map peer1 interface outside

adcorbett_2
Level 1
Level 1
In response to Amadou TOURE

‎06-06-2008 07:09 AM

DOH! That was it. Whay is it always the easy stuff?

Thanks!

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to adcorbett_2

‎06-06-2008 07:13 AM

:-)

yeah, in most case you need just a double-check, it's hard to be focused all time.

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to adcorbett_2

‎06-06-2008 07:10 AM

I didn't see on the ASA the command

crypto map peer1 interface outside

0 Helpful

Amadou TOURE
Level 1
Level 1

‎06-06-2008 05:11 AM

hi,

Yes, please post the config of two equipments.

regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card