cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
0
Helpful
6
Replies

L2L VPN Tunnel Failure

muhannad
Level 1
Level 1

Hello there,

I am trying to establish a site to site IPSEC VPN using two ASA firewalls but the VPN holds in IKE phase1 with the below error from my side : "Nov 26 04:00:27 [IKEv1]: Group = 168.187.68.242, IP = 168.187.68.242, Removing peer from correlator table failed, no match!"

I checked both IKE proposals/policies and the pre-shared key from both ends.

See attached files.

Thank you.

6 Replies 6

ariesc_33
Level 1
Level 1

=========================================================================================================

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0

access-list outside_cryptomap_20 extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0

=========================================================================================================

nat (inside) 0 access-list outside_cryptomap_20

#############################################

it looks like everything is configured correctly except the access-list for your NAT 0 which you used the same crypto map ACL that was applied on outside interface.

try changing your nat 0 ACL to "inside_nat0_outbound"

nat (inside) 0 access-list inside_nat0_outbound

#############################################

please rate if it helps

Thank you,

The access list references the intersting traffic only and its valid for both NAT and crypto map.

ajagadee
Cisco Employee
Cisco Employee

Hi,

Quick qn, in your crypto map, for the peer "84.203.226.226" where is the match address statement. If there is none, can you configure one and then retest the tunnel to the other peer 212.93.223.211.

crypto map mymap 3 set peer 84.203.226.226

crypto map mymap 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map mymap 3 set nat-t-disable

crypto map mymap 3 set phase1-mode aggressive

Regards,

Arul

*Pls rate if it helps*

Hi,

The peer 212.93.223.211 should have a tunnel with 168.187.68.242.

Peer 84.203.226.226 is also to have a tunnel with 168.187.68.242.

thank you but this is not the case.

change the following:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

To the following:

crypto map mymap 65000 ipsec-isakmp dynamic dyn1

on IT-S2

Did u get a chance to try the change I suggested?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: