Solved: ASA dynamic-to-static VPN fails

toprock1970 · ‎03-25-2010

I have an ASA 5510 with a stic address and a 5505 with a dynmic.

I have created a dynamic VPN on the 5510. When the 5505 with it's dynamic address tried to connect with me I get the following errors:

Mar 25 05:45:14 [IKEv1]: IP = 213.137.6.203, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '213.137.6.203'.
Mar 25 05:45:14 [IKEv1]: Group = DefaultRAGroup, IP = 213.137.6.203, Removing peer from peer table failed, no match!
Mar 25 05:45:14 [IKEv1]: Group = DefaultRAGroup, IP = 213.137.6.203, Error: Unable to remove PeerTblEntry

I also get a similar error when the 5505 has the Aggressive Mode disabled

slmansfield · ‎03-25-2010

It looks like the 5510 believes this is a L2L (site-to-site) connection request as opposed to a dynamically-established connection. It does not have a tunnel group for 213.137.6.203. You could create a tunnel group with that name to resolve this issue.

The other option is to set up the ASA's for a Remote Access (e.g., Easy VPN) connection.

Here is a URL describing how to set up L2L and Easy VPN with NEM. HTH

http://www.cisco.com/application/pdf/paws/100313/pixasa_easy_l2l_vpn.pdf

View solution in original post

slmansfield · ‎03-25-2010

It looks like the 5510 believes this is a L2L (site-to-site) connection request as opposed to a dynamically-established connection. It does not have a tunnel group for 213.137.6.203. You could create a tunnel group with that name to resolve this issue.

The other option is to set up the ASA's for a Remote Access (e.g., Easy VPN) connection.

Here is a URL describing how to set up L2L and Easy VPN with NEM. HTH

http://www.cisco.com/application/pdf/paws/100313/pixasa_easy_l2l_vpn.pdf