×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DefaultL2LGroup keeps trying to connect to an old IP address

Answered Question
Dec 28th, 2014
User Badges:

Hello all,

 

We have a Cisco ASA 5510 that had a VPN tunnel established with the previous network administrator's home connection.  When he resigned, we deleted the tunnel-group.  I've noticed, however, in the logs we still see:

4Dec 28 201407:51:26     Group = DefaultL2LGroup, IP = x.x.x.x, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

 

Where the x.x.x.x is the guy's home IP address. I tried grepping his IP in show run and all I found were an acl entry.  Is there any way to get DefaultL2LGroup to stop trying to reestablish this tunnel?

 

Thanks!

Correct Answer by Marvin Rhoads about 2 years 7 months ago

Since you see 

     ERROR, had problems decrypting packet

I would say his configuration is still trying to send you encrypted packets.

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
johnlloyd_13 Sun, 12/28/2014 - 18:53
User Badges:
  • Blue, 1500 points or more

hi,

you'll need to remove the crypto related config.

no crypto isakmp key <KEY> address <PREV ADMIN'S IP>

no crypto ipsec transform-set <TSET NAME>

no crypto map <CMAP NAME> <SEQUENCE NUM>

Marvin Rhoads Sun, 12/28/2014 - 19:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.

tedbronson Sun, 12/28/2014 - 22:12
User Badges:

If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.

 

He says he has removed it on his end, and that our firewall is still trying to bring up a tunnel with him.

 

you'll need to remove the crypto related config.

no crypto isakmp key <KEY> address <PREV ADMIN'S IP>

no crypto ipsec transform-set <TSET NAME>

no crypto map <CMAP NAME> <SEQUENCE NUM>

 

When I do "no crypto isakmp key <key> address <ip> I get:

ERROR:no keyword not supported.Command deprecated
Usage: crypto { ca | dynamic-map | engine | ipsec | isakmp | key | map  }
        For more detailed help, please refer directly to the subcommands

 

 

If I understand everything right we are using the transform-set for other VPN connections as well.

For the last one, I don't see any crypto map entries with his IP as the peer.

 

Correct Answer
Marvin Rhoads Mon, 12/29/2014 - 05:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Since you see 

     ERROR, had problems decrypting packet

I would say his configuration is still trying to send you encrypted packets.

 

tedbronson Mon, 12/29/2014 - 11:41
User Badges:

That was the problem, he thought he had removed it from his end and hadn't. Thanks!

Actions

This Discussion