Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problems with VPN ASA 5510

Hi All

I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

My configuration for VPN is:

ACL:

access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

VPN:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Internet_map 20 match address Internet_cryptomap_20_1

crypto map Internet_map 20 set peer 186.1.10.74

crypto map Internet_map 20 set transform-set ESP-3DES-MD5

crypto map Internet_map 20 set security-association lifetime seconds 86400

crypto map Internet_map 20 set security-association lifetime kilobytes 4608000

crypto map Internet_map 20 set nat-t-disable

crypto map Internet_map 40 match address Internet_cryptomap_40

crypto map Internet_map 40 set peer 165.98.233.180

crypto map Internet_map 40 set transform-set ESP-3DES-MD5

crypto map Internet_map 40 set security-association lifetime seconds 86400

crypto map Internet_map 40 set security-association lifetime kilobytes 4608000

crypto map Internet_map 60 match address Internet_cryptomap_60

crypto map Internet_map 60 set peer 200.50.2.114

crypto map Internet_map 60 set transform-set ESP-3DES-MD5

crypto map Internet_map 60 set security-association lifetime seconds 28800

crypto map Internet_map 60 set security-association lifetime kilobytes 4608000

crypto map Internet_map interface Internet

isakmp identity address

isakmp enable Internet

isakmp enable management

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 186.1.10.74 type ipsec-l2l

tunnel-group 186.1.10.74 ipsec-attributes

pre-shared-key *

tunnel-group 165.98.233.180 type ipsec-l2l

tunnel-group 165.98.233.180 ipsec-attributes

pre-shared-key *

tunnel-group 200.50.2.114 type ipsec-l2l

tunnel-group 200.50.2.114 ipsec-attributes

pre-shared-key *

Thanks in Advanced

Regards

1 REPLY
Bronze

Re: Problems with VPN ASA 5510

Removing peer from correlator table failed, no match!

This typically means one of a few things including, incorrect peer address configured in the L2L setup page, mis-matched local and remote newtork definitions, Agressive Mode vs. Main Mode misconfig, and IKE Proposal parameters not matching up on both ends.

3308
Views
0
Helpful
1
Replies
CreatePlease to create content