Michel,

the command "isakmp enable outside" is in the configuration.

Thank for your help, clear the isakmp sa work.

I too had the same problem , but it seems clearing sa's is an temporary solution. I get the VPN connection problems most frequently.

please give me a one time solution for this.

Hello,

This usually happens when the peer is a third party device or the devices which have different IPSEC/isakmp lifetime values.

Support device 1 has isa/ipsec lifetime as 1000/1000 seconds and device 2 has 900/900 seconds. Device 2 will expect a tunnel nego packet after 900 seconds which device one will reject because for it the tunnel already exists. Or, if somehow the tunnel got broken and the state of the tunnel is uneven on both side.

Although every vendor say that they follow RFC to the line but it does not happen. RFC clearly indicates that the lesser value of the lifetime should be accepted and lifetime value should be a part of the proposal. But , RFC is nothing but guidelines.

Try configuring the lifetime values manually if creating a tunnel with unlike/different vendor devices.

Vikas

I'm getting the same Phase I error:

Jun 09 11:02:00 [IKEv1]: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!

Doing a 'clear isakmp sa' command isn't doable, since that would break multiple existing tunnels on my production network; any background on the cause for this error?

Isakmp policy and transform sets seem to match fine, but no Phase I.

Marc

Hi Marc,

For version 7.x you may collect tunnel info w/

show vpn-sessiondb detail remote

The command to clear one tunnel at a time is:

clear ipsec sa peer

This will not affect or break all other tunnel's running simultaneouly on your pix.

I'm not aware of any command doing this in previous ver. (except clear isakmp sa/clear ipsec sa that you have mentionned earlier).

HTH

Mike