02-14-2007 01:10 AM - edited 02-21-2020 02:52 PM
Hi Gents,
I had several L2L VPN tunnels configured on ASA Firewall.(asa712-k8.bin)
It worked fine. But yesterday i had to recreate the same VPN configurations on another ASA firewall (asa721-24-k8.bin). All configuration has just been copied to the new firewall.
But it doesn't work.
Debug result on ASA.
%ASA-3-713902: Group = X.X.X.X, IP = X.X.X.X, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = X.X.X.X, IP = X.X.X.X Error: Unable to remove PeerTblEntry
Has anybody ever faced with this kind of problem?
Thanks
02-14-2007 08:35 AM
02-14-2007 08:39 AM
Hi Leo,
Did you reconfigure the pre-shared-key on the new box?
If you did not do it then you need to do it.
Regards,
Kamal
02-14-2007 09:11 AM
I did. I even tried to recreate crypto map.
I have the same error with another VPN tunnel, which also worked before.
:(
02-14-2007 09:44 AM
Hi..
You need to get the
"debug cry isa 255" and
"debug cry ipsec 255" to get the complete logs.
-Kanishka
02-14-2007 10:09 AM
02-14-2007 12:42 PM
Hi Leo,
Please check :
Feb 14 22:02:22 [IKEv1 DEBUG]: Group = 10.10.10.1, IP = 10.10.10.1, IKE MM Initiator FSM error history (struct &0x4925cb0)
Please notice : EV_PROB_AUTH_FAIL--
This indicates that the pre-shared key did not match or something is misconfigured.
Please send the configuration of both the ends and I'll respond back.
Regards,
Kamal
02-15-2007 12:48 AM
02-15-2007 02:17 AM
Hi
On your host,Do you assign the another secondary ip address to your computer ,i had this problem like you since i removed secondary ip address from network card it has been solved.
also can you send your pix configuration and asa .
Thanks.
02-15-2007 04:46 AM
02-16-2007 06:19 AM
Hi,
Are you sure the debugs from the remote site are for this tunnel. Here's what I see in the remote site debugs :
ISAKMP (0): retransmitting phase 1 (1)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.10.30.1, remote= 10.10.40.1,
local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),
remote_proxy= 10.20.101.0/255.255.255.0/0/0 (type=4)
It says the ip address of this device is 10.10.30.1 and not 10.10.10.1, as you have defined as a peer on ASA.
Also, the proxy idents are not the same as on the ASA.
Could you please double check.
HTH,
-Kanishka
02-17-2007 07:04 AM
Hello!,
Problem was solved yesterday.
Problem was with Peer IP. Not with proxy IP (I just changed the real addresses)
I had given wrong IP to all corporate clients..That is why i saw the same problem on all l2l connections.
Thanks to all!
Especially to Cisco TAC
08-24-2007 10:43 AM
Any solution on this problem ?
08-30-2007 12:18 AM
Already solved after recreating VPN.
thanks
Leo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: