Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Continous Pings timing out

Thanks in advance.

I have a ASA5505 at a remote location and a ASA5550 at my loocation..

I am getting the following info in my logs:

IP = 62.73.210.70, Header invalid, missing SA payload! (next payload = 4)

Group = 62.73.210.70, IP = 62.73.210.70, No preshared key configured for group

Group = 62.73.210.70, IP = 62.73.210.70, Can't find a valid tunnel group, aborting...!

Group = 62.73.210.70, IP = 62.73.210.70, Removing peer from peer table failed, no match!

Group = 62.73.210.70, IP = 62.73.210.70, Error: Unable to remove PeerTblEntry

Copy of config's as follows:

Remote location: 172.25.62.226 has been statically NAT'ed to public 62.73.210.70.

Remote Config:

interface Vlan1
nameif inside
security-level 100
ip address 10.200.1.209 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address 172.25.62.226 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2

access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 255.255.255.0
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 255.255.252.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 255.255.255.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 255.255.252.0
access-list 100 extended permit tcp host 89.254.12.35 host 10.200.1.213 eq www
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.25.62.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto map mymap 10 match address VPNL2L
crypto map mymap 10 set peer 65.181.59.210
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal  2


tunnel-group 65.181.59.210 type ipsec-l2l
tunnel-group 65.181.59.210 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic

My Location Config:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.181.59.210 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.199.1.2 255.255.255.0

dns server-group DefaultDNS

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service WML tcp
description Remote wits data access
port-object range 1 65535

access-list aclin extended permit object-group DM_INLINE_PROTOCOL_5 host 10.199.1.2 host 65.181.59.210

access-list no-nat remark Local Rules
access-list no-nat extended permit ip Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list no-nat remark Local Rules
access-list no-nat extended permit ip Rignet 255.255.255.0 ConocoNova 255.255.255.240
access-list no-nat remark ConocoNova

access-list no-nat extended permit ip Rignet 255.255.255.0 ENI 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 ENI 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 BobbyVPN 255.255.255.0
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 BobbyVPN 255.255.255.0

access-list inside_access_in remark Block port 135 for port scanning
access-list inside_access_in extended deny 135 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list test extended permit icmp any any echo
access-list test extended permit icmp any any echo-reply
access-list InsideNOV_access_in extended permit ip 10.200.0.0 255.255.0.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_4 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_12 Norway_Office 255.255.255.240 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_8 BobbyVPN 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_8 any any
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_5 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_6 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_PROTOCOL_10 10.200.0.0 255.255.0.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 BobbyVPN 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit ip 10.200.0.0 255.255.0.0 Rignet 255.255.255.0
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_13 host 65.181.59.210 host 10.200.1.222
access-list inside_access_in_2 extended permit object-group DM_INLINE_SERVICE_11 Rignet 255.255.255.0 Rignet 255.255.255.0
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_14 host 65.181.59.210 host 10.200.1.222
pager lines 24
logging enable
logging asdm informational

asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 65.181.57.51 netmask 255.255.255.255
nat (outside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list no-nat
nat (inside) 1 Rignet 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 65.181.59.222 10.199.1.23 netmask 255.255.255.255
static (inside,outside) 65.181.59.219 10.199.1.27 netmask 255.255.255.255
static (inside,outside) 65.181.59.216 10.199.1.29 netmask 255.255.255.255
access-group aclin in interface outside
access-group inside_access_in_1 in interface inside

route outside 0.0.0.0 0.0.0.0 65.181.59.209 1
route inside 153.15.156.217 255.255.255.255 65.181.57.51 1

dynamic-access-policy-record DfltAccessPolicy

sysopt connection tcpmss 1100
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 1 match address outside_cryptomap_1
crypto map myMAP 1 set peer 62.73.210.70
crypto map myMAP 1 set transform-set mySET
crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto ca trustpoint Intelliserv.rignet.local

crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint0

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
nem enable
group-policy ENI internal
group-policy ENI attributes
vpn-tunnel-protocol IPSec

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mytunnel type remote-access
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
tunnel-group 164.85.0.18 type ipsec-l2l
tunnel-group 164.85.0.18 ipsec-attributes
peer-id-validate cert
chain
tunnel-group 62.73.210.70 type ipsec-l2l
tunnel-group 62.73.210.70 general-attributes
default-group-policy ENI
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: VPN Continous Pings timing out

I don't see a tunnel group and associated psk at your main location for the remote site 5505 outside interface.

Sent from Cisco Technical Support iPad App

2 REPLIES
Hall of Fame Super Silver

Re: VPN Continous Pings timing out

I don't see a tunnel group and associated psk at your main location for the remote site 5505 outside interface.

Sent from Cisco Technical Support iPad App

New Member

VPN Continous Pings timing out

The tunnel-group is there, it is the 62.73.210.70..

But since you mentioned it, I took another look and I noticed there was no pre-shared key in the new tunnel group I created. So thanks for the answer, made me look again and notice my error.

149
Views
0
Helpful
2
Replies
CreatePlease to create content