05-07-2009 07:38 AM - edited 02-21-2020 03:26 AM
One of our ASA's went down for an unknown reason and needed to be rebooted. After coming back up, our site to site VPN no longer works. I've tried to refresh it with a no/crypto map to no avail. Here's the syslog errors being reported by the one that went down:
3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from correlator table failed, no match!
3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct &0x2e6acd8, mess id 0xc77a9d35)!
3|May 07 2009 09:30:35|713061: Group = A.B.C.D, IP = A.B.C.D, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy X.Y.Z.0/255.255.255.0/0/0 on interface outside
3|May 07 2009 09:30:35|713119: Group = A.B.C.D, IP = A.B.C.D, PHASE 1 COMPLETED
4|May 07 2009 09:30:35|713903: Group = A.B.C.D, IP = A.B.C.D, Freeing previously allocated memory for authorization-dn-attributes
The remote proxy 0.0.0.0 seems like the sore thumb, but I'm at a loss, and Google seems to be too.
Thanks in advance.
05-07-2009 10:51 AM
Here's a great VPN troubleshooting doc.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
It's failing on IPSec, so make sure your ACL's and your IPSec policies match.
Hope that helps.
05-07-2009 11:06 AM
Thanks for the reply.
Apparently the ACL got corrupted with the outage this morning. Rebuilding the crypto map on both ends solved the problem.
I'll keep that guide in my back pocket for next time though.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: