Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure CPN Between Asa-Astaro

Hi All

I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

My configuration for VPN is:

ACL:

access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

VPN:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Internet_map 20 match address Internet_cryptomap_20_1

crypto map Internet_map 20 set peer 186.1.10.74

crypto map Internet_map 20 set transform-set ESP-3DES-MD5

crypto map Internet_map 20 set security-association lifetime seconds 86400

crypto map Internet_map 20 set security-association lifetime kilobytes 4608000

crypto map Internet_map 20 set nat-t-disable

crypto map Internet_map 40 match address Internet_cryptomap_40

crypto map Internet_map 40 set peer 165.98.233.180

crypto map Internet_map 40 set transform-set ESP-3DES-MD5

crypto map Internet_map 40 set security-association lifetime seconds 86400

crypto map Internet_map 40 set security-association lifetime kilobytes 4608000

crypto map Internet_map 60 match address Internet_cryptomap_60

crypto map Internet_map 60 set peer 200.50.2.114

crypto map Internet_map 60 set transform-set ESP-3DES-MD5

crypto map Internet_map 60 set security-association lifetime seconds 28800

crypto map Internet_map 60 set security-association lifetime kilobytes 4608000

crypto map Internet_map interface Internet

isakmp identity address

isakmp enable Internet

isakmp enable management

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 186.1.10.74 type ipsec-l2l

tunnel-group 186.1.10.74 ipsec-attributes

pre-shared-key *

tunnel-group 165.98.233.180 type ipsec-l2l

tunnel-group 165.98.233.180 ipsec-attributes

pre-shared-key *

tunnel-group 200.50.2.114 type ipsec-l2l

tunnel-group 200.50.2.114 ipsec-attributes

pre-shared-key *

Thanks in Advanced

Regards

1 REPLY
Silver

Re: Configure CPN Between Asa-Astaro

1049
Views
0
Helpful
1
Replies