×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN errors between remote and Local ASA

Unanswered Question
Oct 4th, 2014
User Badges:

I can't seem to establish a VPN between remote ASA 5505 and my local 5550 ASA. In my logs I am getting the following:

 

        IP = 62.73.210.83, IKE Initiator: New Phase 1, Intf inside, IKE Peer 62.73.210.83 local Proxy Address 10.199.1.0, remote Proxy Address 10.200.1.240, Crypto map (myMAP)

 

 IP = 62.73.210.83, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

 

        IP = 62.73.210.83, Error: Unable to remove PeerTblEntry

 

        IP = 62.73.210.83, Removing peer from peer table failed, no match!

 

Remote 5505 ASA:

 crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto map mymap 10 match address VPNL2L
crypto map mymap 10 set peer 62.73.210.83
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  21

tunnel-group 65.181.59.210 type ipsec-l2l
tunnel-group 65.181.59.210 ipsec-attributes
 pre-shared-key *

 

Local 5550 ASA:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set mySET esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 1 match address outside_cryptomap_1
crypto map myMAP 1 set peer 62.73.210.83 
crypto map myMAP 1 set transform-set mySET ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 21
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy myGROUP internal
group-policy myGROUP attributes
 split-tunnel-policy tunnelspecified
 nem enable
group-policy Mearsk internal
group-policy Mearsk attributes
 vpn-tunnel-protocol IPSec 
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group mytunnel type remote-access
tunnel-group mytunnel general-attributes
 default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
 pre-shared-key *
tunnel-group 62.73.210.83 type ipsec-l2l
tunnel-group 62.73.210.83 ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Sat, 10/04/2014 - 07:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Your remote ASA 5505 has:

      crypto map mymap 10 set peer 62.73.210.83

From what I can see it should be 65.181.59.210

swashbuckler Sat, 10/04/2014 - 16:10
User Badges:

Thank you for responding, I tried that too in the beginning and I get the same errors as above.

Marvin Rhoads Sun, 10/05/2014 - 08:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Well, whether or not that fixes the root cause, it will need to be set to that.

You should also confirm that the access-lists called by your crypto map for the respective ends are mirror images of each other. (VPNL2L and outside_cryptomap_1).

 

Actions

This Discussion