I ran into an issue with one of my VPN L to L tunnels on ASA 5510. This tunnel was build for vendor company and their support reported that the tunnel drops sometimes. I looked into ASA log files and found the following errors:
2010-11-03 09:07:50 Local4.Error x.x.x.x :Nov 03 09:07:50 EDT: %ASA-vpn-3-713061: Group = 68.x.x.x, IP = 68.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 188.8.131.52/255.255.255.255/0/0 local proxy 192.168.20.0/255.255.255.248/0/0 on interface outside 2010-11-03 09:07:50 Local4.Error x.x.x.x :Nov 03 09:07:50 EDT: %ASA-vpn-3-713902: Group = 68.x.x.x, IP = 68.x.x.x, QM FSM error (P2 struct &0xad763d50, mess id 0xe382746a)! 2010-11-03 09:07:50 Local4.Error x.x.x.x :Nov 03 09:07:50 EDT: %ASA-vpn-3-713902: Group = 68.x.x.x, IP = 68.x.x.x, Removing peer from correlator table failed, no match!
I had to NAT 2 servers on my side to get this tunnel to work. Here's my config:
access-list policy_NAT_C1 extended permit ip host 10.1.1.1 host 184.108.40.206 access-list policy_NAT_C2 extended permit ip host 10.1.26.1 host 220.127.116.11
access-list outside_C_cryptomap extended permit ip host 192.168.20.2 host 18.104.22.168 access-list outside_C_cryptomap extended permit ip host 192.168.20.3 host 22.214.171.124
crypto map M 8 match address outside_C_cryptomap crypto map M 8 set peer 68.x.x.x crypto map M 8 set transform-set C crypto map M 8 set security-association lifetime seconds 28800 crypto map M 8 set security-association lifetime kilobytes 4608000c
1.%ASA-3-713061:Tunnel rejected: Crypto Map Policy not found for Src:source_address, Dst: dest_address!
The adaptive security appliance was not able to find security policy information for the private networks or hosts indicated in the message. These networks or hosts were sent by the initiator and do not match any crypto ACLs at the adaptive security appliance. This is most likely a misconfiguration.
Recommended Action: Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder and vice-versa. Pay special attention to wildcard masks, and host addresses versus network addresses. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks.
Don't you have other IPsec peers that might be conflicting with the interesting traffic?
This tunnel was originally configured on VPN concetrator, using subnet of 192.168.20.0/255.255.255.248. Once it was moved to ASA, I limited it to 192.168.20.2 and 192.168.20.3 only. I've just verified with vendor's network tech that ACL on his side matches mine. Not sure how the firewall got this:
local proxy 192.168.20.0/255.255.255.248/0/0 on interface outside
You are right. Thank you for your help. On vendor's PIX there was config mismatch in memory, so it was requesting wrong subnet (actually this was the one used with "old" tunnel). Vendor's tech cleared isakmp sa and it all is well now. Again new configuration was done fine, but still there was something in memory (speculation), which was causing problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...