cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3820
Views
0
Helpful
4
Replies

Reg. ASA 5510 Error

ankurs2008
Level 1
Level 1

Hi

i am getitng the following error logs in the ASA Firewall version ASA 5510 Version 7.0(7) which is configured in stateful failover with the primary in standby and secondary acting as active unit .The issue is that the IP Address mentioned below 203.101.X.X is the IP of another PIX (branch of this organization only) and having S2S VPN Tunnel with the config of below firewall (IP-202.87.X.X).The tunnel is not able to get established and giving following error. Please help me out to rectify it.

Jan 01 00:32:02 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, ERROR: IKE failed trying to create a session manager entry

Jan 01 00:32:02 [IKEv1]: fsmDriver returned error

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

After enabling debug , i am getting the following

# debug cry isa sa

Host# Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

4 Replies 4

sachinraja
Level 9
Level 9

hello ankur

was this working before or stopped working, after the firewall went to standby ? just wanted to make sure there arent any issues in the configuration end ! Is this the only tunnel on the devices or are there many other tunnels working, and this is the only one which isnt ?

Raj

hi

earlier the firewall primary unit was in the standby mode and secondary unit in the active mode.After failover happened , all the other site to site tunnels are working ; however this is the only one which isn't

Is the IP connectivity fine ? can you please send us the configurations ofthe two end devices, with ip address/pw information masked ?

Srikanth K. S
Cisco Employee
Cisco Employee

Please reload the device and check.

Jan 01 00:32:02 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, ERROR: IKE failed trying to create a session manager entry

seems to be a caveat in the software version. You could try upgrading to a higher version to avoid this error permanently.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: