Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

DefaultL2LGroup keeps trying to connect to an old IP address

Hello all,

 

We have a Cisco ASA 5510 that had a VPN tunnel established with the previous network administrator's home connection.  When he resigned, we deleted the tunnel-group.  I've noticed, however, in the logs we still see:

4Dec 28 201407:51:26     Group = DefaultL2LGroup, IP = x.x.x.x, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

 

Where the x.x.x.x is the guy's home IP address. I tried grepping his IP in show run and all I found were an acl entry.  Is there any way to get DefaultL2LGroup to stop trying to reestablish this tunnel?

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Since you see      ERROR, had

Since you see 

     ERROR, had problems decrypting packet

I would say his configuration is still trying to send you encrypted packets.

 

5 REPLIES

hi,you'll need to remove the

hi,

you'll need to remove the crypto related config.

no crypto isakmp key <KEY> address <PREV ADMIN'S IP>

no crypto ipsec transform-set <TSET NAME>

no crypto map <CMAP NAME> <SEQUENCE NUM>

Hall of Fame Super Silver

If he still has the L2L VPN

If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.

Community Member

If he still has the L2L VPN

If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.

 

He says he has removed it on his end, and that our firewall is still trying to bring up a tunnel with him.

 

you'll need to remove the crypto related config.

no crypto isakmp key <KEY> address <PREV ADMIN'S IP>

no crypto ipsec transform-set <TSET NAME>

no crypto map <CMAP NAME> <SEQUENCE NUM>

 

When I do "no crypto isakmp key <key> address <ip> I get:

ERROR:no keyword not supported.Command deprecated
Usage: crypto { ca | dynamic-map | engine | ipsec | isakmp | key | map  }
        For more detailed help, please refer directly to the subcommands

 

 

If I understand everything right we are using the transform-set for other VPN connections as well.

For the last one, I don't see any crypto map entries with his IP as the peer.

 

Hall of Fame Super Silver

Since you see      ERROR, had

Since you see 

     ERROR, had problems decrypting packet

I would say his configuration is still trying to send you encrypted packets.

 

Community Member

That was the problem, he

That was the problem, he thought he had removed it from his end and hadn't. Thanks!

78
Views
0
Helpful
5
Replies
CreatePlease to create content