cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
396
Views
3
Helpful
6
Replies

5505 L2L VPN Issue

xcz504d1114
Level 4
Level 4

Here is the Error.

RTR_SPOKE# Apr 16 22:16:42 [IKEv1]: IP = 2.2.2.2, Removing peer from peer table failed, no match!

Apr 16 22:16:42 [IKEv1]: IP = 2.2.2.2, Error: Unable to remove PeerTblEntry

My understanding is it is a Phase 1 problem, I get the error on both sides, so that tells me the IP's are setup right. One of the routers is a "hub" for 2 L2L connections, one is working fine, the other is not. For the life of me I can't see what I'm missing.

A few things I've done:

1) Verified the pre-shared keys (multiple times)

2) Cleared isakmp

3) Rebuilt the Crypto maps

Attached are the relevant configs

Thanks in advance.

6 Replies 6

andrew.prince
Level 10
Level 10

firstly the config looks ok

secondly check your psk matches

thirdly debug the isakmp with more info - debug crypto isakmp 30

HTH>

Thanks for the reply Andrew, I'll check that here in a bit! I'll keep rating if you keep helping :)

Craig

By PSK, I assume you mean Pre-Shared Key, I have that simplified to a single character while I get this up and running, just to eliminate all doubt in my mind that I fat fingered it.

Here is the output of the debug 30 from the Spoke Router:

Apr 17 10:41:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:11 [IKEv1]: IP = 2.2.2.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 2.2.2.2 local Proxy Address 10.0.2.0, remote Proxy Address 10.0.1.0, Crypto map (outside_map)

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing ISAKMP SA payload

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing NAT-Traversal VID ver 02 payload

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing NAT-Traversal VID ver 03 payload

Apr 17 10:41:11 [IKEv1 DEBUG]: IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload

Apr 17 10:41:11 [IKEv1]: IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE(0) total length : 184

Apr 17 10:41:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:14 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:19 [IKEv1]: IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 10:41:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:20 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:27 [IKEv1]: IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 10:41:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:32 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:35 [IKEv1]: IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 10:41:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 10:41:35 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Apr 17 10:41:41 [IKEv1]: IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to beprocessed when P1 SA is complete.

Apr 17 10:41:43 [IKEv1 DEBUG]: IP = 2.2.2.2, IKE MM Initiator FSM error

history (struct &0x39cce90) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2,

EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_

SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,

EV_RETRY

Apr 17 10:41:43 [IKEv1 DEBUG]: IP = 2.2.2.2, IKE SA MM:99022348 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Apr 17 10:41:43 [IKEv1 DEBUG]: IP = 2.2.2.2, sending delete/delete with reason message

Apr 17 10:41:43 [IKEv1]: IP = 2.2.2.2, Removing peer from peer table failed, no match!

Apr 17 10:41:43 [IKEv1]: IP = 2.2.2.2, Error: Unable to remove PeerTblEntry

Here is the debug 30 from the Hub, I had to truncate some of the repeat messages to make it fit, I put line breaks where I removed repeat lines.

Apr 17 12:09:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:23 [IKEv1]: IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 1.1.1.1 local Proxy Address 10.0.1.0, remote Proxy Address 10.0.2.0, Crypto map (outside_map)

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload

Apr 17 12:09:23 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload

Apr 17 12:09:23 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:29 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:31 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:31 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:31 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:38 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:39 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:39 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:41 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:42 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:44 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 17 12:09:45 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 17 12:09:47 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184

Apr 17 12:09:55 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE MM Initiator FSM error h

istory (struct &0x3a22700) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2,

EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV

_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2

, EV_RETRY

Apr 17 12:09:55 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA MM:5f411dd7 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Apr 17 12:09:55 [IKEv1 DEBUG]: IP = 1.1.1.1, sending delete/delete with reason message

Apr 17 12:09:55 [IKEv1]: IP = 1.1.1.1, Removing peer from peer table failed, no match!

Apr 17 12:09:55 [IKEv1]: IP = 1.1.1.1, Error: Unable to remove PeerTblEntry

Hi, I just experienced a problem that may be related to these special characters. I didn't test fully so take this advice with a bit of caution: Under ASA 7.23 OS and possible other OS versions, using special characters in keys causes the key to become deformed, or invalid (don't know which). I upgraded to OS 8.X, re-entered the pre-shared key with special characters and it worked.

Sorry I never updated this, my issue ended up being an ISP issue, they had a service feature that would "help" the end user, in short, they were redirecting my VPN traffic to where they thought I wanted it to go. The resolution was to switch ISP's, their level 1 tech's were very adamant about not escalating :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: