5505 L2L VPN Issue

Unanswered Question
Apr 16th, 2009
User Badges:
  • Bronze, 100 points or more

Here is the Error.

RTR_SPOKE# Apr 16 22:16:42 [IKEv1]: IP = 2.2.2.2, Removing peer from peer table failed, no match!

Apr 16 22:16:42 [IKEv1]: IP = 2.2.2.2, Error: Unable to remove PeerTblEntry


My understanding is it is a Phase 1 problem, I get the error on both sides, so that tells me the IP's are setup right. One of the routers is a "hub" for 2 L2L connections, one is working fine, the other is not. For the life of me I can't see what I'm missing.


A few things I've done:

1) Verified the pre-shared keys (multiple times)

2) Cleared isakmp

3) Rebuilt the Crypto maps


Attached are the relevant configs


Thanks in advance.





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
xcz504d1114 Fri, 04/17/2009 - 08:07
User Badges:
  • Bronze, 100 points or more

Thanks for the reply Andrew, I'll check that here in a bit! I'll keep rating if you keep helping :)


Craig

xcz504d1114 Fri, 04/17/2009 - 09:05
User Badges:
  • Bronze, 100 points or more

By PSK, I assume you mean Pre-Shared Key, I have that simplified to a single character while I get this up and running, just to eliminate all doubt in my mind that I fat fingered it.


Here is the output of the debug 30 from the Spoke Router:

Apr 17 10:41:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:11 [IKEv1]: IP = 2.2.2.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 2.2.2.2 local Proxy Address 10.0.2.0, remote Proxy Address 10.0.1.0, Crypto map (outside_map)

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing ISAKMP SA payload

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing NAT-Traversal VID ver 02 payload

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing NAT-Traversal VID ver 03 payload

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload

Apr 17 10:41:11 [IKEv1]: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE(0) total length : 184

Apr 17 10:41:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:14 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:19 [IKEv1]: IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 10:41:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:20 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:27 [IKEv1]: IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 10:41:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:32 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:35 [IKEv1]: IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 10:41:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:35 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Apr 17 10:41:41 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.


Apr 17 10:41:43 [IKEv1 DEBUG]: IP = 2.2.2.2, IKE MM Initiator FSM error

history (struct &0x39cce90) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2,

EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_

SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,

EV_RETRY


Apr 17 10:41:43 [IKEv1 DEBUG]: IP = 2.2.2.2, IKE SA MM:99022348 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Apr 17 10:41:43 [IKEv1 DEBUG]: IP = 2.2.2.2, sending delete/delete with reason message

Apr 17 10:41:43 [IKEv1]: IP = 2.2.2.2, Removing peer from peer table failed, no match!

Apr 17 10:41:43 [IKEv1]: IP = 2.2.2.2, Error: Unable to remove PeerTblEntry



xcz504d1114 Fri, 04/17/2009 - 09:15
User Badges:
  • Bronze, 100 points or more

Here is the debug 30 from the Hub, I had to truncate some of the repeat messages to make it fit, I put line breaks where I removed repeat lines.


Apr 17 12:09:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:23 [IKEv1]: IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 1.1.1.1 local Proxy Address 10.0.1.0, remote Proxy Address 10.0.2.0, Crypto map (outside_map)

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload

Apr 17 12:09:23 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0


Apr 17 12:09:29 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:31 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:31 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0


Apr 17 12:09:38 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:39 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:39 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:41 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:42 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:44 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:45 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:47 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184


Apr 17 12:09:55 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE MM Initiator FSM error h

istory (struct &0x3a22700) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2,

EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV

_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2

, EV_RETRY

Apr 17 12:09:55 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA MM:5f411dd7 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Apr 17 12:09:55 [IKEv1 DEBUG]: IP = 1.1.1.1, sending delete/delete with reason message

Apr 17 12:09:55 [IKEv1]: IP = 1.1.1.1, Removing peer from peer table failed, no match!

Apr 17 12:09:55 [IKEv1]: IP = 1.1.1.1, Error: Unable to remove PeerTblEntry



Hi, I just experienced a problem that may be related to these special characters. I didn't test fully so take this advice with a bit of caution: Under ASA 7.23 OS and possible other OS versions, using special characters in keys causes the key to become deformed, or invalid (don't know which). I upgraded to OS 8.X, re-entered the pre-shared key with special characters and it worked.

xcz504d1114 Mon, 06/29/2009 - 11:38
User Badges:
  • Bronze, 100 points or more

Sorry I never updated this, my issue ended up being an ISP issue, they had a service feature that would "help" the end user, in short, they were redirecting my VPN traffic to where they thought I wanted it to go. The resolution was to switch ISP's, their level 1 tech's were very adamant about not escalating :)

Actions

This Discussion