Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RA VPN Hanging

I have an ASA (5510) that is running 8.02, it needs to terminate VPNs on its outside interface, I have developed what I believe is a good config but its not working, I get the following error message...

Sep 13 04:37:42 [IKEv1]: Group = USERVPN, IP = x.x.x.103, Removing peer from peer table failed, no match!

Sep 13 04:37:42 [IKEv1]: Group = USERVPN, IP = x.x.x.103, Error: Unable to remove PeerTblEntry

Here is the configuration:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set XFORMSET-AES-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map OUTSIDE_DYN_MAP 20 set transform-set ESP-AES-256-MD5

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE_DYN_MAP

crypto map OUTSIDE_MAP interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 10

2 REPLIES
Silver

Re: RA VPN Hanging

Check if you have matching sets of pre-share keys on both sides. Also check for the configuration of Access lists. Following link may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

Re: RA VPN Hanging

Hello,

I recently had the same problem spent like three nights trying to figure out the problem I started reasearching the potential cause of the errors using the log entry: http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html

Pretty much what it came down to was on one side of the VPN connection IE an 871 router there was an acl applied that was blocking udp 500 and esp. Try verifying on the remote end that UDP 500 and esp is not being blocked.

Patrick

94
Views
0
Helpful
2
Replies