Site To Site VPN

Unanswered Question
Jun 6th, 2008
User Badges:

Hello - I have a PIX 515 (v 7.2) and a ASA 5520. I have a VPN tunnel built between the 2 but I can not get them to connect. All I get are these messages:


Jun 06 08:43:13 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Jun 06 08:43:46 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!


I can ping x.x.x.x from within the 515.


The ASA is replacing a PIX 501. The tunnel between the 515 and the 501 works fine, just not with the ASA. I can post configs if needed. Any help would be great.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Fri, 06/06/2008 - 05:10
User Badges:
  • Gold, 750 points or more

Hi Andy

Please attach sanitized configs of both devices (515 and the config on ASA, not 501)

Most probably the tunnel-group statement is lost on ASA since it needs to have the tunnel-group name same as remote peer IP unlike old IOSes.


Regards

adcorbett_2 Fri, 06/06/2008 - 05:54
User Badges:

Here are the configs - I think you may be right about the names. My predecessor used the IP of the opposite device as the tunnel name so each was different. Let me know if there is anything else I may be missing here, and thank you!



Attachment: 
Amadou TOURE Fri, 06/06/2008 - 06:24
User Badges:

Hi

I want to ensure that you have the config below if not could you do it accordingly ?


Pix 515

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes


where x.x.x.x is the IP of ASA peer


ASA

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes


where y.y.y.y is the IP of PIX peer

adcorbett_2 Fri, 06/06/2008 - 06:30
User Badges:

Yes that is correct - X is the IP of the ASA and Y is the IP of the PIX

Amadou TOURE Fri, 06/06/2008 - 06:34
User Badges:


I didn't see on the ASA the command


crypto map peer1 interface outside

adcorbett_2 Fri, 06/06/2008 - 07:09
User Badges:

DOH! That was it. Whay is it always the easy stuff?


Thanks!

Amadou TOURE Fri, 06/06/2008 - 07:13
User Badges:

:-)

yeah, in most case you need just a double-check, it's hard to be focused all time.

Amadou TOURE Fri, 06/06/2008 - 07:10
User Badges:


I didn't see on the ASA the command


crypto map peer1 interface outside

Actions

This Discussion