I had several L2L VPN tunnels configured on ASA Firewall.(asa712-k8.bin)
It worked fine. But yesterday i had to recreate the same VPN configurations on another ASA firewall (asa721-24-k8.bin). All configuration has just been copied to the new firewall.
But it doesn't work.
Debug result on ASA.
%ASA-3-713902: Group = X.X.X.X, IP = X.X.X.X, Removing peer from peer table failed, no match!
%ASA-4-713903: Group = X.X.X.X, IP = X.X.X.X Error: Unable to remove PeerTblEntry
Has anybody ever faced with this kind of problem?
Please check :
Feb 14 22:02:22 [IKEv1 DEBUG]: Group = 10.10.10.1, IP = 10.10.10.1, IKE MM Initiator FSM error history (struct &0x4925cb0)
Please notice : EV_PROB_AUTH_FAIL--
This indicates that the pre-shared key did not match or something is misconfigured.
Please send the configuration of both the ends and I'll respond back.
On your host,Do you assign the another secondary ip address to your computer ,i had this problem like you since i removed secondary ip address from network card it has been solved.
also can you send your pix configuration and asa .
Are you sure the debugs from the remote site are for this tunnel. Here's what I see in the remote site debugs :
ISAKMP (0): retransmitting phase 1 (1)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.10.30.1, remote= 10.10.40.1,
local_proxy= 220.127.116.11/255.255.255.255/0/0 (type=1),
remote_proxy= 10.20.101.0/255.255.255.0/0/0 (type=4)
It says the ip address of this device is 10.10.30.1 and not 10.10.10.1, as you have defined as a peer on ASA.
Also, the proxy idents are not the same as on the ASA.
Could you please double check.
Problem was solved yesterday.
Problem was with Peer IP. Not with proxy IP (I just changed the real addresses)
I had given wrong IP to all corporate clients..That is why i saw the same problem on all l2l connections.
Thanks to all!
Especially to Cisco TAC