09-25-2010 12:13 PM
I configured on 2 ASA 5510s a VPN between them. I used the IPsec wizard and ensured that each rule was mirrored on the other device. I did select to have the traffic NATed because this is eventually going to be a point to multipoint environment, with the same IP addresses within each enclave. What will seperate them will be the public addresses assigned to them. Looking at my my log files on both devices, I see the same errors. Any help would be greatly appreciated.
4|Sep 25 2010|12:01:18|113019|||||Group = 207.98.185.25, Username = 207.98.185.25, IP = 207.98.185.25, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 25 2010|12:01:18|713259|||||Group = 207.98.185.25, IP = 207.98.185.25, Session is being torn down. Reason: User Requested
3|Sep 25 2010|12:01:18|713902|||||Group = 207.98.185.25, IP = 207.98.185.25, Removing peer from correlator table failed, no match!
5|Sep 25 2010|12:01:18|713050|||||Group = 207.98.185.25, IP = 207.98.185.25, Connection terminated for peer 207.98.185.25. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
5|Sep 25 2010|12:01:18|713068|||||Group = 207.98.185.25, IP = 207.98.185.25, Received non-routine Notify message: Invalid ID info (18)
5|Sep 25 2010|12:01:18|713119|||||Group = 207.98.185.25, IP = 207.98.185.25, PHASE 1 COMPLETED
6|Sep 25 2010|12:01:18|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 207.98.185.25
6|Sep 25 2010|12:01:18|713172|||||Group = 207.98.185.25, IP = 207.98.185.25, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
5|Sep 25 2010|12:01:18|713041|||||IP = 207.98.185.25, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 207.98.185.25 local Proxy Address 207.98.185.20, remote Proxy Address 207.98.185.24, Crypto map (Outside_map)
5|Sep 25 2010|12:01:18|713904|||||IP = 207.98.185.25, Received encrypted packet with no matching SA, dropping
Solved! Go to Solution.
09-25-2010 07:00 PM
It does not look like it's mirror image ACL.
Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?
On the first ASA you have:
Local Network: 207.98.185.28
Remote Network: Enterprise_A/29
On the other ASA, it should be the mirror image as follows:
Local Network: Enterprise_A/29
Remote Network: 207.98.185.28
However, you have the following on the other ASA:
Local network: 207.98.185.20 --> is this the same as Enterprise_A/29 ip address?
Remote Network: Enterprise_B/29 --> is this the same as 207.98.185.28?
Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.
09-25-2010 12:30 PM
09-25-2010 01:11 PM
09-25-2010 07:00 PM
It does not look like it's mirror image ACL.
Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?
On the first ASA you have:
Local Network: 207.98.185.28
Remote Network: Enterprise_A/29
On the other ASA, it should be the mirror image as follows:
Local Network: Enterprise_A/29
Remote Network: 207.98.185.28
However, you have the following on the other ASA:
Local network: 207.98.185.20 --> is this the same as Enterprise_A/29 ip address?
Remote Network: Enterprise_B/29 --> is this the same as 207.98.185.28?
Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide