01-01-2009 04:12 AM - edited 03-11-2019 07:31 AM
Hi
i am getitng the following error logs in the ASA Firewall version ASA 5510 Version 7.0(7) which is configured in stateful failover with the primary in standby and secondary acting as active unit .The issue is that the IP Address mentioned below 203.101.X.X is the IP of another PIX (branch of this organization only) and having S2S VPN Tunnel with the config of below firewall (IP-202.87.X.X).The tunnel is not able to get established and giving following error. Please help me out to rectify it.
Jan 01 00:32:02 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, ERROR: IKE failed trying to create a session manager entry
Jan 01 00:32:02 [IKEv1]: fsmDriver returned error
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!
Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0
After enabling debug , i am getting the following
# debug cry isa sa
Host# Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!
Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!
Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!
Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!
01-02-2009 06:11 AM
hello ankur
was this working before or stopped working, after the firewall went to standby ? just wanted to make sure there arent any issues in the configuration end ! Is this the only tunnel on the devices or are there many other tunnels working, and this is the only one which isnt ?
Raj
01-02-2009 09:03 AM
hi
earlier the firewall primary unit was in the standby mode and secondary unit in the active mode.After failover happened , all the other site to site tunnels are working ; however this is the only one which isn't
01-02-2009 11:26 AM
Is the IP connectivity fine ? can you please send us the configurations ofthe two end devices, with ip address/pw information masked ?
12-20-2010 08:08 PM
Please reload the device and check.
Jan 01 00:32:02 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, ERROR: IKE failed trying to create a session manager entry
seems to be a caveat in the software version. You could try upgrading to a higher version to avoid this error permanently.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: