Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9485
Views
0
Helpful
2
Replies

Rejecting IPSec tunnel (ASA to ASA VPN)

ajobrien5
Level 1
Level 1

‎05-07-2009 07:38 AM - edited ‎02-21-2020 03:26 AM

One of our ASA's went down for an unknown reason and needed to be rebooted. After coming back up, our site to site VPN no longer works. I've tried to refresh it with a no/crypto map to no avail. Here's the syslog errors being reported by the one that went down:

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from correlator table failed, no match!

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct &0x2e6acd8, mess id 0xc77a9d35)!

3|May 07 2009 09:30:35|713061: Group = A.B.C.D, IP = A.B.C.D, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy X.Y.Z.0/255.255.255.0/0/0 on interface outside

3|May 07 2009 09:30:35|713119: Group = A.B.C.D, IP = A.B.C.D, PHASE 1 COMPLETED

4|May 07 2009 09:30:35|713903: Group = A.B.C.D, IP = A.B.C.D, Freeing previously allocated memory for authorization-dn-attributes

The remote proxy 0.0.0.0 seems like the sore thumb, but I'm at a loss, and Google seems to be too.

Thanks in advance.

0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎05-07-2009 10:51 AM

Here's a great VPN troubleshooting doc.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

It's failing on IPSec, so make sure your ACL's and your IPSec policies match.

Hope that helps.

0 Helpful

ajobrien5
Level 1
Level 1
In response to Collin Clark

‎05-07-2009 11:06 AM

Thanks for the reply.

Apparently the ACL got corrupted with the outage this morning. Rebuilding the crypto map on both ends solved the problem.

I'll keep that guide in my back pocket for next time though.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card