Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L VPN Tunnel Failure

Hello there,

I am trying to establish a site to site IPSEC VPN using two ASA firewalls but the VPN holds in IKE phase1 with the below error from my side : "Nov 26 04:00:27 [IKEv1]: Group = 168.187.68.242, IP = 168.187.68.242, Removing peer from correlator table failed, no match!"

I checked both IKE proposals/policies and the pre-shared key from both ends.

See attached files.

Thank you.

6 REPLIES
New Member

Re: L2L VPN Tunnel Failure

=========================================================================================================

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0

access-list outside_cryptomap_20 extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0

=========================================================================================================

nat (inside) 0 access-list outside_cryptomap_20

#############################################

it looks like everything is configured correctly except the access-list for your NAT 0 which you used the same crypto map ACL that was applied on outside interface.

try changing your nat 0 ACL to "inside_nat0_outbound"

nat (inside) 0 access-list inside_nat0_outbound

#############################################

please rate if it helps

New Member

Re: L2L VPN Tunnel Failure

Thank you,

The access list references the intersting traffic only and its valid for both NAT and crypto map.

Cisco Employee

Re: L2L VPN Tunnel Failure

Hi,

Quick qn, in your crypto map, for the peer "84.203.226.226" where is the match address statement. If there is none, can you configure one and then retest the tunnel to the other peer 212.93.223.211.

crypto map mymap 3 set peer 84.203.226.226

crypto map mymap 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map mymap 3 set nat-t-disable

crypto map mymap 3 set phase1-mode aggressive

Regards,

Arul

*Pls rate if it helps*

New Member

Re: L2L VPN Tunnel Failure

Hi,

The peer 212.93.223.211 should have a tunnel with 168.187.68.242.

Peer 84.203.226.226 is also to have a tunnel with 168.187.68.242.

thank you but this is not the case.

New Member

Re: L2L VPN Tunnel Failure

change the following:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

To the following:

crypto map mymap 65000 ipsec-isakmp dynamic dyn1

on IT-S2

New Member

Re: L2L VPN Tunnel Failure

Did u get a chance to try the change I suggested?

Thanks

131
Views
0
Helpful
6
Replies
CreatePlease login to create content