Rejecting IPSec tunnel (ASA to ASA VPN)

Unanswered Question
May 7th, 2009
User Badges:

One of our ASA's went down for an unknown reason and needed to be rebooted. After coming back up, our site to site VPN no longer works. I've tried to refresh it with a no/crypto map to no avail. Here's the syslog errors being reported by the one that went down:

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from correlator table failed, no match!

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct &0x2e6acd8, mess id 0xc77a9d35)!

3|May 07 2009 09:30:35|713061: Group = A.B.C.D, IP = A.B.C.D, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy X.Y.Z.0/ on interface outside

3|May 07 2009 09:30:35|713119: Group = A.B.C.D, IP = A.B.C.D, PHASE 1 COMPLETED

4|May 07 2009 09:30:35|713903: Group = A.B.C.D, IP = A.B.C.D, Freeing previously allocated memory for authorization-dn-attributes

The remote proxy seems like the sore thumb, but I'm at a loss, and Google seems to be too.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajobrien5 Thu, 05/07/2009 - 11:06
User Badges:

Thanks for the reply.

Apparently the ACL got corrupted with the outage this morning. Rebuilding the crypto map on both ends solved the problem.

I'll keep that guide in my back pocket for next time though.


This Discussion