Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rejecting IPSec tunnel (ASA to ASA VPN)

One of our ASA's went down for an unknown reason and needed to be rebooted. After coming back up, our site to site VPN no longer works. I've tried to refresh it with a no/crypto map to no avail. Here's the syslog errors being reported by the one that went down:

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from correlator table failed, no match!

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct &0x2e6acd8, mess id 0xc77a9d35)!

3|May 07 2009 09:30:35|713061: Group = A.B.C.D, IP = A.B.C.D, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy X.Y.Z.0/255.255.255.0/0/0 on interface outside

3|May 07 2009 09:30:35|713119: Group = A.B.C.D, IP = A.B.C.D, PHASE 1 COMPLETED

4|May 07 2009 09:30:35|713903: Group = A.B.C.D, IP = A.B.C.D, Freeing previously allocated memory for authorization-dn-attributes

The remote proxy 0.0.0.0 seems like the sore thumb, but I'm at a loss, and Google seems to be too.

Thanks in advance.

2 REPLIES

Re: Rejecting IPSec tunnel (ASA to ASA VPN)

Here's a great VPN troubleshooting doc.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

It's failing on IPSec, so make sure your ACL's and your IPSec policies match.

Hope that helps.

New Member

Re: Rejecting IPSec tunnel (ASA to ASA VPN)

Thanks for the reply.

Apparently the ACL got corrupted with the outage this morning. Rebuilding the crypto map on both ends solved the problem.

I'll keep that guide in my back pocket for next time though.

7972
Views
0
Helpful
2
Replies
CreatePlease login to create content