Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Modifying Existing VPN on ASA version 7.1

Hello All,

I have two issues to resolve

  1. I added 5 new network ranges to an existing B2B tunnel. Three (3) of the new network ranges are able to establish sessions over the tunnel but two (2) are unable. I did a tracert from computer and the trace terminates within the ASA. There are no logs showing up on the ASA to suggest traffic is reaching the ASA. I cloned the existing NAT and ACL and Static rules but with no success.
  2. 3Jul 11 201315:22:42713902



    Group = 82.199.93.3, IP = 82.199.93.3, QM FSM error (P2 struct &0xb07054c0, mess id 0x5eafb9bb)!
    3Jul 11 201315:22:42713902



    Group = 82.199.93.3, IP = 82.199.93.3, Removing peer from correlator table failed, no match!
    4Jul 11 201315:22:42752012



    IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 1.
    3Jul 11 201315:22:42752015



    Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 1.


Thankx

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Modifying Existing VPN on ASA version 7.1

The error message "Removing peer from correlator table failed, no match!" most often indicates tht the distant end does not have the mirror image configuration to allow the traffic across the VPN and thus some of the IKE SAs are not being formed.

4 REPLIES
Hall of Fame Super Silver

Modifying Existing VPN on ASA version 7.1

The error message "Removing peer from correlator table failed, no match!" most often indicates tht the distant end does not have the mirror image configuration to allow the traffic across the VPN and thus some of the IKE SAs are not being formed.

New Member

Modifying Existing VPN on ASA version 7.1

Hello Marvin,

The remote peer is using a Ciso Router and I asked the engineer to send me the config after sending him screenshot of the config on the ASA.

The engineer refused as they have other tunnels and the only confirmation of a mirror config is based on what he says.

As such I cannot verify if  this is related to why the other two network ranges are no being encrypted as they cross the ASA.

Thanks

Hall of Fame Super Silver

Modifying Existing VPN on ASA version 7.1

If you turn on debugging your log output should show you more precisely where the failure is. You can filter on the remote peer first to narrow down the volume of output.

debug crypto condition peer

debug crypto ipsec 7

debug crypto isakmp 7

New Member

Modifying Existing VPN on ASA version 7.1

Hello Marvin,

Thanks for the info supplied

will do so asap

Regards

Mike

161
Views
5
Helpful
4
Replies
CreatePlease login to create content