Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Reg. ASA 5510 Error

Hi

i am getitng the following error logs in the ASA Firewall version ASA 5510 Version 7.0(7) which is configured in stateful failover with the primary in standby and secondary acting as active unit .The issue is that the IP Address mentioned below 203.101.X.X is the IP of another PIX (branch of this organization only) and having S2S VPN Tunnel with the config of below firewall (IP-202.87.X.X).The tunnel is not able to get established and giving following error. Please help me out to rectify it.

Jan 01 00:32:02 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, ERROR: IKE failed trying to create a session manager entry

Jan 01 00:32:02 [IKEv1]: fsmDriver returned error

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, Removing peer from correlator table failed, no match!

Jan 01 00:32:03 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, SA lock refCnt = 0, bitmask = 00000000, p1_decrypt_cb = 0, qm_decrypt_cb = 0, qm_hash_cb = 0, qm_spi_ok_cb = 0, qm_dh_cb = 0, qm_secret_key_cb = 0, qm_encrypt_cb = 0

After enabling debug , i am getting the following

# debug cry isa sa

Host# Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

Jan 01 02:06:13 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, IKE session establishment timed out [MM_WAIT_DELETE], aborting!

4 REPLIES

Re: Reg. ASA 5510 Error

hello ankur

was this working before or stopped working, after the firewall went to standby ? just wanted to make sure there arent any issues in the configuration end ! Is this the only tunnel on the devices or are there many other tunnels working, and this is the only one which isnt ?

Raj

New Member

Re: Reg. ASA 5510 Error

hi

earlier the firewall primary unit was in the standby mode and secondary unit in the active mode.After failover happened , all the other site to site tunnels are working ; however this is the only one which isn't

Re: Reg. ASA 5510 Error

Is the IP connectivity fine ? can you please send us the configurations ofthe two end devices, with ip address/pw information masked ?

Cisco Employee

Re: Reg. ASA 5510 Error

Please reload the device and check.

Jan 01 00:32:02 [IKEv1]: Group = 203.101.X.X, IP = 203.101.X.X, ERROR: IKE failed trying to create a session manager entry

seems to be a caveat in the software version. You could try upgrading to a higher version to avoid this error permanently.

2823
Views
0
Helpful
4
Replies
CreatePlease to create content