I am trying to get a site to site vpn up and running:
All I am seeing is the following:
%ASA-5-750002: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:Unknown Received a IKE_INIT_SA request
%ASA-3-751002: Local:x.x.x.x:4500 Remote:x.x.x.x:4500 Username: x.x.x.x No pre-shared key or trustpoint configured for self in tunnel group x.x.x.x
%ASA-4-750003: Local:x.x.x.x:4500 Remote:x.x.x.x:4500 Username:x.x.x.x Negotiation aborted due to ERROR: Failed to locate an item in the database
Do you have the following configurations
Or depending on software it might be
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
I'm facing the same issue.
Here the tunnel-group is configured but it's like the ASA doesn't recgonize it.
Could you please share the logs that you are getting and the output of following commands from both the ASA's involved in building tunnel:
1. Show cry isa sa
2. show cry ipsec sa
3. show run tunnel-group
You can hide the ip address by using xx to saving it from unwanted people.
Once we have this information, I will be able to tell you where you are going wrong.
hope you are doing fine.
First of all thank you very much for your answer.
The tunnel-group configuration related to this remote ip address is:
tunnel-group 104.41.xxx.xxx type ipsec-l2l
tunnel-group 104.41.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
this remote ip address doesn't even show up in debugs or "show crypto ikev1..." or "show crypto ipsec sa" and etc.
I'm getting some messagen on the ASDM logging:
Looks like the ASA is completely ignoring these tunnel-group sentences, I removed then to do a test and the sympton is exactly the same without then.
I am not sure if you are using Ikev1 or Ikev2. Also the configuration that you have shared is from one side only. I need to see complete configuration from both the ends. Could you please share it here after hiding ip and group information.
We need it from both the sides to check if you are missing something on the ASA or not.
I'm using ikev1.
The other side is a problem, it's a VPN with Microsoft using Azure, kind of an autoconfigurable VPN that at the end generates a document containing the key and the protocols to be used (follow attached).
I configured the ASA using exactly these parameters, except by names, crypto map number and etc.
The strange thing is the ASA not even "seeing" the key we configured for the peer, it's like it's not even there.
Is it possible for you to post complete debugs?
Because you get this error message if the IP that you are coming from there is no pre-shared key configured for it.
If you cannot paste teh debugs, double check the connection is not going to the dynamic map or the default l2l tunnel-group.
If you can paste the debugs and some portion of the crypto map configuration. It would help us to diagnose the issue better.
I know , This is an old post but do we have any resolution or root cause for this . Can somebody help please . I am also getting the same error when i am configuring a L2L VPN between Azure and ASA