ASA dynamic-to-static VPN fails

Answered Question
Mar 25th, 2010

I have an ASA 5510 with a stic address and a 5505 with a dynmic.

I have created a dynamic VPN on the 5510. When the 5505 with it's dynamic address tried to connect with me I get the following errors:

Mar 25 05:45:14 [IKEv1]: IP = 213.137.6.203, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '213.137.6.203'.
Mar 25 05:45:14 [IKEv1]: Group = DefaultRAGroup, IP = 213.137.6.203, Removing peer from peer table failed, no match!
Mar 25 05:45:14 [IKEv1]: Group = DefaultRAGroup, IP = 213.137.6.203, Error: Unable to remove PeerTblEntry

I also get a similar error when the 5505 has the Aggressive Mode disabled

Attachment: 
I have this problem too.
0 votes
Correct Answer by slmansfield about 6 years 8 months ago

It looks like the 5510 believes this is a L2L (site-to-site) connection request as opposed to a dynamically-established connection.  It does not have a tunnel group for 213.137.6.203.  You could create a tunnel group with that name to resolve this issue.

The other option is to set up the ASA's for a Remote Access (e.g., Easy VPN) connection.

Here is a URL describing how to set up L2L and Easy VPN with NEM.  HTH

http://www.cisco.com/application/pdf/paws/100313/pixasa_easy_l2l_vpn.pdf

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
slmansfield Thu, 03/25/2010 - 11:58

It looks like the 5510 believes this is a L2L (site-to-site) connection request as opposed to a dynamically-established connection.  It does not have a tunnel group for 213.137.6.203.  You could create a tunnel group with that name to resolve this issue.

The other option is to set up the ASA's for a Remote Access (e.g., Easy VPN) connection.

Here is a URL describing how to set up L2L and Easy VPN with NEM.  HTH

http://www.cisco.com/application/pdf/paws/100313/pixasa_easy_l2l_vpn.pdf

Actions

This Discussion