Site to Site VPN using Cisco 2651XM and ASA5505

Answered Question
Jul 14th, 2009
User Badges:

Hello Experts,

I have an issue setting up site to site VPN between Cisco 2651XM and ASA505.

Here's the config from both the devices.

On Cisco 2651XM


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco12345 address 205.200.8.XXX



crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to205.200.8.251

set peer 205.200.8.XXX

set transform-set ESP-DES-SHA

match address 102

qos pre-classify

interface Dialer1

ip nbar protocol-discovery

crypto map SDM_CMAP_2

On ASA 5505


access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip

access-list outside_6_cryptomap_1 extended permit ip

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 6 match address outside_6_cryptomap_1

crypto map outside_map 6 set pfs

crypto map outside_map 6 set peer

crypto map outside_map 6 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

Here's the output log from ASA5505

IP = 205.200.9.XXX Received encrypted packet with no matching SA, dropping

Group = 205.200.9.XXX Username = 205.200.9.XXX IP = 205.200.9.XXX Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Group = 205.200.9.XXX IP = 205.200.9.XXX Removing peer from correlator table failed, no match!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, QM FSM error (P2 struct &0xd7b42260, mess id 0x84b2979c)!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, All IPSec SA proposals found unacceptable!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, PHASE 1 COMPLETED

Please help me out.


Correct Answer by Collin Clark about 7 years 8 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
bansal.ojasvi Tue, 07/14/2009 - 19:56
User Badges:

Went through the link. Tried doing what relates to my issue but no luck. Any other idea?

bansal.ojasvi Wed, 07/15/2009 - 20:30
User Badges:

I found out the issue. It was PFS group issue. Sh crypto map command helped me. It was showing DH1, I changed it to DH2 and the issue was resolved. Thanks for your help though.


This Discussion