cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2883
Views
0
Helpful
13
Replies

VPN Error!

Leo_Stobbe
Level 1
Level 1

Hi Gents,

I had several L2L VPN tunnels configured on ASA Firewall.(asa712-k8.bin)

It worked fine. But yesterday i had to recreate the same VPN configurations on another ASA firewall (asa721-24-k8.bin). All configuration has just been copied to the new firewall.

But it doesn't work.

Debug result on ASA.

%ASA-3-713902: Group = X.X.X.X, IP = X.X.X.X, Removing peer from peer table failed, no match!

%ASA-4-713903: Group = X.X.X.X, IP = X.X.X.X Error: Unable to remove PeerTblEntry

Has anybody ever faced with this kind of problem?

Thanks

13 Replies 13

Leo_Stobbe
Level 1
Level 1

There is also debug log.

Hope for help

Leo

Hi Leo,

Did you reconfigure the pre-shared-key on the new box?

If you did not do it then you need to do it.

Regards,

Kamal

I did. I even tried to recreate crypto map.

I have the same error with another VPN tunnel, which also worked before.

:(

Hi..

You need to get the

"debug cry isa 255" and

"debug cry ipsec 255" to get the complete logs.

-Kanishka

Thanks for your quick answers.

Here it is.

Maybe this is a bug of ASA 7.2(1) ???

Regards

Leo

Hi Leo,

Please check :

Feb 14 22:02:22 [IKEv1 DEBUG]: Group = 10.10.10.1, IP = 10.10.10.1, IKE MM Initiator FSM error history (struct &0x4925cb0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT

Please notice : EV_PROB_AUTH_FAIL--

This indicates that the pre-shared key did not match or something is misconfigured.

Please send the configuration of both the ends and I'll respond back.

Regards,

Kamal

I retyped the pre-shared key.

T

here is a debug log from remote side cisco pix.

My debug log i had already sent you.

thanks

Leo

Hi

On your host,Do you assign the another secondary ip address to your computer ,i had this problem like you since i removed secondary ip address from network card it has been solved.

also can you send your pix configuration and asa .

Thanks.

No i didn't assign any secondary IP address to Host.

I just recreated the working config on another ASA5520.

Today i tried with IOS Asa 7.1(2), even cleared

all configuration and reconfigured again...

Nothing changed.

Hi,

Are you sure the debugs from the remote site are for this tunnel. Here's what I see in the remote site debugs :

ISAKMP (0): retransmitting phase 1 (1)...IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.30.1, remote= 10.10.40.1,

local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),

remote_proxy= 10.20.101.0/255.255.255.0/0/0 (type=4)

It says the ip address of this device is 10.10.30.1 and not 10.10.10.1, as you have defined as a peer on ASA.

Also, the proxy idents are not the same as on the ASA.

Could you please double check.

HTH,

-Kanishka

Hello!,

Problem was solved yesterday.

Problem was with Peer IP. Not with proxy IP (I just changed the real addresses)

I had given wrong IP to all corporate clients..That is why i saw the same problem on all l2l connections.

Thanks to all!

Especially to Cisco TAC

saleem
Level 1
Level 1

Any solution on this problem ?

Already solved after recreating VPN.

thanks

Leo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: