Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA IPSec Site to Site VPN error

I am trying to get a site to site vpn up and running:

All I am seeing is the following:

%ASA-5-750002: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:Unknown Received a IKE_INIT_SA request

%ASA-3-751002: Local:x.x.x.x:4500 Remote:x.x.x.x:4500 Username: x.x.x.x No pre-shared key or trustpoint configured for self in tunnel group x.x.x.x

%ASA-4-750003: Local:x.x.x.x:4500 Remote:x.x.x.x:4500 Username:x.x.x.x Negotiation aborted due to ERROR: Failed to locate an item in the database

11 REPLIES
Super Bronze

ASA IPSec Site to Site VPN error

Hi,

Do you have the following configurations

tunnel-group type ipsec-l2l

tunnel-group type ipsec-attributes

ikev1 pre-shared-key

Or depending on software it might be

tunnel-group type ipsec-l2l

tunnel-group type ipsec-attributes

pre-shared-key

- Jouni

New Member

ASA IPSec Site to Site VPN error

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy1

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

Super Bronze

ASA IPSec Site to Site VPN error

Hi,

Does the log messages IP address match exactly to the one in the "tunnel-group" configurations?

- Jouni

New Member

ASA IPSec Site to Site VPN error

yes

New Member

Hello Guys, I'm facing the

Hello Guys,

 

I'm facing the same issue.

 

Here the tunnel-group is configured but it's like the ASA doesn't recgonize it.

 

Any help?

 

Regards.

 

Cisco Employee

Hi Allen, Could you please

Hi Allen,

 

Could you please share the logs that you are getting and the output of following commands from both the ASA's involved in building tunnel:

1. Show cry isa sa

2. show cry ipsec sa

3. show run tunnel-group

You can hide the ip address by using xx to saving it from unwanted people. 

Once we have this information, I will be able to tell you where you are going wrong.

 

 

Thanks,

Vishnu 

New Member

Hello Vishnuhope you are


Hello Vishnu

hope you are doing fine.


First of all thank you very much for your answer.

The tunnel-group configuration related to this remote ip address is:

tunnel-group 104.41.xxx.xxx type ipsec-l2l
tunnel-group 104.41.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****


this remote ip address doesn't even show up in debugs or "show crypto ikev1..." or "show crypto ipsec sa" and etc.


I'm getting some messagen on the ASDM logging:

%ASA-5-750002
%ASA-3-751002
%ASA-4-750003


Looks like the ASA is completely ignoring these tunnel-group sentences, I removed then to do a test and the sympton is exactly the same without then.

 

 

Cisco Employee

Hi Allan, I am not sure if

Hi Allan,

 

I am not sure if you are using Ikev1 or Ikev2. Also the configuration that you have shared is from one side only. I need to see complete configuration from both the ends. Could you please share it here after hiding ip and group information. 

We need it from both the sides to check if you are missing something on the ASA or not.

 

 

Thanks,

Vishnu 

New Member

Hey Vishnu,I'm using ikev1

Hey Vishnu,


I'm using ikev1.


The other side is a problem, it's a VPN with Microsoft using Azure, kind of an autoconfigurable VPN that at the end generates a document containing the key and the protocols to be used (follow attached).

I configured the ASA using exactly these parameters, except by names, crypto map number and etc.

The strange thing is the ASA not even "seeing" the key we configured for the peer, it's like it's not even there.

Thanks again.

Cisco Employee

ASA IPSec Site to Site VPN error

Is it possible for you to post complete debugs?

Because you get this error message if the IP that you are coming from there is no pre-shared key configured for it.

If you cannot paste teh debugs, double check the connection is not going to the dynamic map or the default l2l tunnel-group.

If you can paste the debugs and some portion of the crypto map configuration. It would  help us to diagnose the issue better.

Thanks

Jeet Kumar

New Member

Re: ASA IPSec Site to Site VPN error

I know , This is an old post but do we have any resolution or root cause for this . Can somebody help please . I am also getting the same error when i am configuring a L2L VPN between Azure and ASA

3789
Views
5
Helpful
11
Replies
CreatePlease to create content