Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site To Site VPN

Hello - I have a PIX 515 (v 7.2) and a ASA 5520. I have a VPN tunnel built between the 2 but I can not get them to connect. All I get are these messages:

Jun 06 08:43:13 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Jun 06 08:43:46 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!

I can ping x.x.x.x from within the 515.

The ASA is replacing a PIX 501. The tunnel between the 515 and the 501 works fine, just not with the ASA. I can post configs if needed. Any help would be great.

9 REPLIES

Re: Site To Site VPN

Hi Andy

Please attach sanitized configs of both devices (515 and the config on ASA, not 501)

Most probably the tunnel-group statement is lost on ASA since it needs to have the tunnel-group name same as remote peer IP unlike old IOSes.

Regards

New Member

Re: Site To Site VPN

Here are the configs - I think you may be right about the names. My predecessor used the IP of the opposite device as the tunnel name so each was different. Let me know if there is anything else I may be missing here, and thank you!

New Member

Re: Site To Site VPN

Hi

I want to ensure that you have the config below if not could you do it accordingly ?

Pix 515

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

where x.x.x.x is the IP of ASA peer

ASA

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

where y.y.y.y is the IP of PIX peer

New Member

Re: Site To Site VPN

Yes that is correct - X is the IP of the ASA and Y is the IP of the PIX

New Member

Re: Site To Site VPN

I didn't see on the ASA the command

crypto map peer1 interface outside

New Member

Re: Site To Site VPN

DOH! That was it. Whay is it always the easy stuff?

Thanks!

New Member

Re: Site To Site VPN

:-)

yeah, in most case you need just a double-check, it's hard to be focused all time.

New Member

Re: Site To Site VPN

I didn't see on the ASA the command

crypto map peer1 interface outside

New Member

Re: Site To Site VPN

hi,

Yes, please post the config of two equipments.

regards

130
Views
5
Helpful
9
Replies