Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
3
Replies

VPN Issue| /500 peer not found

alk1000
Level 1
Level 1

‎06-13-2006 06:56 PM - edited ‎02-21-2020 02:28 PM

Hi everyone,

I'm writing after I've troubleshooted and researched the web and Cisco website to hit a brick wall.

I'm trying to configure a simple vpn tunnel between a PIX 501 (6.2) -my side- and a VPN concentrator 3000.

The configuration on our side is straight forward, however it doesn't seem to work. I'm getting the below output from debug crypto isakmp:

VPN Peer: ISAKMP: Added new peer: ip:ReD-Prod-Peer Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:ReD-Prod-Peer Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

ISAKMP (0): retransmitting phase 1...

ISADB: reaper checking SA 0x80a7cb20, conn_id = 0

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src IDC-Outside-Int, dst ReD-Prod-Peer

ISADB: reaper checking SA 0x80a7cb20, conn_id = 0 DELETE IT!

On the remote site:

crypto_isakmp_process_block:src: xxx.xxx.xxx.xxx (my vpn peer), dest:yyy.yyy.yyy.yyy (remote vpn peer) spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0):

retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR

ISAKMP (0): deleting SA: xxx.xxx.xxx.xxx (my vpn peer), dest:yyy.yyy.yyy.yyy (remote vpn peer) ISAKMP (0):

retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (0)...

VPN Peer:ISAKMP: Peer Info for xxx.xxx.xxx.xxx (my vpn peer)/500 not found - peers:9

Does anyone have any idea about the above error line? the most I was able to find is on http://www.rick-thompson.com/misc/vpn-notes.html which says it has something to do with my nating.

But I've configured another tunnel with IDENTICAL configuration except different remote vpn peer and it works pretty well..

I'm really puzzled with this issue? I've wasted more than 20 hours trying to figure it out.

Regards,

Daniel

Labels:
0 Helpful
3 Replies 3

jmia
Level 7
Level 7

‎06-13-2006 11:35 PM

Daniel

Check to see if the crypto ACLs configured on both devices are correct also NAT0 / ISAKMP Key statements, take a look at the following document for troubleshooting:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Hope this helps and please rate post if it does!

Jay

0 Helpful

dbakula01
Level 1
Level 1

‎06-14-2006 05:31 AM

can you post the relevent part of your configs for both sites, thanks

0 Helpful

alk1000
Level 1
Level 1
In response to dbakula01

‎06-14-2006 01:27 PM

Thanks for your reply guys,

I'm enclosing the config. Unfortunately I don't have access to the remote end, so I'm pasting what they've provided me.

Please note that my inside interface is 192.168.1.1/24

and MyServerIP is in the same subnet as MyVPNPeerIP

access-list 111 permit ip host MyServerIP host TheirServerIP

static (inside,outside) MyServerIP 192.168.1.100 netmask 255.255.255.255 0 0

crypto ipsec transform-set MyMAPform esp-3des esp-md5-hmac

crypto map MAPam 21 ipsec-isakmp

crypto map MAPam 21 match address 111

crypto map MAPam 21 set peer TheirVPNPeerIP

crypto map MAPam 21 set transform-set MyMAPform

crypto map MAPam interface outside

isakmp key ******** address TheirVPNPeerIP netmask 255.255.255.255

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash md5

isakmp policy 9 group 2

isakmp policy 9 lifetime 86400

Remote end

access-list 330 permit ip host TheirServerIP host MyServerIP

crypto ipsec transform-set trip esp-3des esp-md5-hmac

crypto map ODMAP 240 ipsec-isakmp

crypto map ODMAP 240 match address 330

crypto map ODMAP 240 set peer MyVPNPeerIP

crypto map ODMAP 240 set transform-set trip trip587

isakmp key ******** address MyVPNPeerIP netmask 255.255.255.255

isakmp policy 40 authentication pre-share isakmp

policy 40 encryption 3des isakmp

policy 40 hash md5 isakmp

policy 40 group 2 isakmp

policy 40 lifetime 86400

Keep in mind that my configuration works fine with another VPNPeer.

0 Helpful
Customers Also Viewed These Support Documents