Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN L2L using GNS3 --> ERROR: Removing peer from correlator table failed, no match!

I followed the instructions for interconnecting 2 LANs using VPN (I am using GNS3 simulating 2 ASA 5510 - one on each side to build the VPN) but I am receiving the following error (unfortunately, I am not an expert in terms of ASA.

ciscoasa2#   Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, QM FSM error (P2 struct &0xbc396bb8, mess id 0x65d3a659)!

Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, Removing peer from correlator table failed, no match!

Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, Session is being torn down. Reason: Phase 2 Mismatch

Apr 02 06:12:44 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, QM FSM error (P2 struct &0xbc146df0, mess id 0x2709556c)!

The diagram is something like:

PC1-LAN1--ASA1---WAN---ASA2--LAN2---PC2

Before applying VPN, I could make Ping from PC1 to the OUTSIDE of ASA2 and viceversa.

The configuration for the ASA are:

SITE 1

ASA Version 8.4(2)
!
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description CONEXION A ROUTER # 2
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
!
interface GigabitEthernet1
description CONEXION SWITCH # 2
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
SOME INTERFACES WERE OMITTED
!
ftp mode passive
object network INTERNAL_LAN
subnet 10.1.1.0 255.255.255.0
object network NETWORK-LOCAL
subnet 10.1.1.0 255.255.255.0
object network NETWORK-REMOTE
subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN remark Traffic from Outside (Internet) to Internal LAN
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list VPN-TO-ASA1 extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK-LOCAL NETWORK-LOCAL destination static NETWORK-REMOTE NETWORK-REMOTE
!
object network INTERNAL_LAN
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set espSHA3DESproto esp-des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA1
crypto map IPSEC 10 set peer 67.94.1.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 67.94.1.2 type ipsec-l2l
tunnel-group 67.94.1.2 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:e96b9102c0afc699ca39df978dd1096b
: end
ciscoasa2#


SITE 2

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description CONEXION HACIA INTERNET 67.94.1.0 / 28
nameif outside
security-level 0
ip address 67.94.1.2 255.255.255.240
!
interface GigabitEthernet1
description CONEXION LAN INTERNA 172.16.1.0 / 24
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
!
ftp mode passive
object network Network-Local
subnet 172.16.1.0 255.255.255.0
object network Network-Remota
subnet 10.1.1.0 255.255.255.0
object network INTERNAL-LAN
subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN remark Traffic from Outside (Internet) to Internal LAN
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list VPN-TO-ASA2 extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Network-Local Network-Local destination static Network-Remota Network-Remota
!
object network INTERNAL-LAN
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 67.94.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA2
crypto map IPSEC 10 set peer 50.1.1.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 50.1.1.2 type ipsec-l2l
tunnel-group 50.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:7f6998d87d35c9fab97d2c41f00c7d95
: end
ciscoasa#

VERSION OF IOS in the GNS ASA

ciscoasa2#      show flash
--#--  --length--  -----date/time------  path
    5  4096        Mar 31 2012 20:28:08  log
   10  4096        Mar 31 2012 20:28:12  coredumpinfo
   11  59          Mar 31 2012 20:28:12  coredumpinfo/coredump.cfg
   78  196         Mar 31 2012 20:28:12  upgrade_startup_errors_201203312028.log
   74  0           Mar 31 2012 21:13:36  nat_ident_migrate
268136448 bytes total (267767808 bytes free)
ciscoasa2# show ver
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa2 up 2 hours 59 mins
Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB

0: Ext: GigabitEthernet0    : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1    : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2    : address is 0000.ab96.ba02, irq 0
3: Ext: GigabitEthernet3    : address is 0000.abc5.8a03, irq 0
4: Ext: GigabitEthernet4    : address is 0000.ab7a.4604, irq 0
5: Ext: GigabitEthernet5    : address is 0000.abd9.1205, irq 0
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 06:07:30.389 UTC Mon Apr 2 2012
ciscoasa2#

IN ADDITION TO THAT, I try to configure the isakmp policy, but I only have the following options:

ciscoasa(config)# crypto ?

configure mode commands/options:

  ca           Certification authority

  dynamic-map  Configure a dynamic crypto map

  ikev1        Configure IKEv1 policy

  ikev2        Configure IKEv2 policy

  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation

  isakmp       Configure ISAKMP

  key          Long term key operations

  map          Configure a crypto map

exec mode commands/options:

  ca  Execute Certification Authority Commands

ciscoasa(config)# crypto is

ciscoasa(config)# crypto isakmp ?

configure mode commands/options:

  disconnect-notify  Enable disconnect notification to peers

  identity           Set identity type (address, hostname or key-id)

  nat-traversal      Enable and configure nat-traversal

  reload-wait        Wait for voluntary termination of existing connections

                     before reboot

ciscoasa(config)#

ciscoasa(config)# crypto ?

configure mode commands/options:

  ca           Certification authority

  dynamic-map  Configure a dynamic crypto map

  ikev1        Configure IKEv1 policy

  ikev2        Configure IKEv2 policy

  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation

  isakmp       Configure ISAKMP

  key          Long term key operations

  map          Configure a crypto map

exec mode commands/options:

  ca  Execute Certification Authority Commands

ciscoasa(config)# crypto ike

ciscoasa(config)# crypto ikev1 ?

configure mode commands/options:

  am-disable      Disable inbound aggressive mode connections

  enable          Enable IKEv1 on the specified interface

  ipsec-over-tcp  Enable and configure IPSec over TCP

  policy          Set IKEv1 policy suite

ciscoasa(config)# crypto ikev1 policy ?

configure mode commands/options:

  <1-65535>  Policy suite priority(1 highest, 65535 lowest)

ciscoasa(config)#

That is the reason because I was able only to configure:

crypto ikev1 policy 10

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


There is not SA established between both ENDS

Thank you in advance for your orientation regarding this issue!!

  • VPN
5 REPLIES
Super Bronze

Re: VPN L2L using GNS3 --> ERROR: Removing peer from correlator

Hi,

Your Site1 Transform set has "DES" , your Site2 has "3DES"

Site1: crypto ipsec ikev1 transform-set espSHA3DESproto esp-des esp-sha-hmac

Site2: crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac

- Jouni

New Member

Re: VPN L2L using GNS3 --> ERROR: Removing peer from correlator

Hi JouniForss,

Thank you so much, I made the modification and now it works.

I can continue simulating all the possible scenarios for interconnecting ASA + VMware for Web/FTP servers.

regards

Abraham

Super Bronze

VPN L2L using GNS3 --> ERROR: Removing peer from correlator tabl

Hi,

Glad to hear you got it working

Please rate if you found it helpfull

- Jouni

New Member

Re: VPN L2L using GNS3 --> ERROR: Removing peer from correlator

Jouni, i am trying to rate it but it does not work. layer 8 problem apparently!!!

Super Bronze

VPN L2L using GNS3 --> ERROR: Removing peer from correlator tabl

Hi,

There should be 2 rows of stars at the bottom of the every post. Left one of the rows should let you set a rating when you put your pointer over the stars.

But if it doesnt work its no problem

1727
Views
0
Helpful
5
Replies
This widget could not be displayed.