Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN site-to-site issues

Hello everybody,

 

I need some help because I'm debugging a VPN site-to-site and it's not working. I have the log below

 

Teardown UDP connection 166426822 for wan:194.4.237.89/500 to identity:41.207.42.170/500 duration 0:02:09 bytes 6672
Group = 194.4.237.89, Username = 194.4.237.89, IP = 194.4.237.89, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
Group = 194.4.237.89, IP = 194.4.237.89, Session is being torn down. Reason: User Requested
Group = 194.4.237.89, IP = 194.4.237.89, Removing peer from correlator table failed, no match!
Group = 194.4.237.89, IP = 194.4.237.89, Connection terminated for peer 194.4.237.89.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Group = 194.4.237.89, IP = 194.4.237.89, Received non-routine Notify message: Invalid ID info (18)
Group = 194.4.237.89, IP = 194.4.237.89, PHASE 1 COMPLETED
AAA retrieved default group policy (GroupPolicy_194.4.237.89) for user = 194.4.237.89
Group = 194.4.237.89, IP = 194.4.237.89, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
IP = 194.4.237.89, IKE Initiator: New Phase 1, Intf vlan200, IKE Peer 194.4.237.89  local Proxy Address 113.133.132.9, remote Proxy Address 172.31.50.20,  Crypto map (VPN_MAP)
Group = 194.4.237.89, Username = 194.4.237.89, IP = 194.4.237.89, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
Group = 194.4.237.89, IP = 194.4.237.89, Session is being torn down. Reason: User Requested
Group = 194.4.237.89, IP = 194.4.237.89, Removing peer from correlator table failed, no match!
Group = 194.4.237.89, IP = 194.4.237.89, Connection terminated for peer 194.4.237.89.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Group = 194.4.237.89, IP = 194.4.237.89, Received non-routine Notify message: Invalid ID info (18)
Group = 194.4.237.89, IP = 194.4.237.89, PHASE 1 COMPLETED
AAA retrieved default group policy (GroupPolicy_194.4.237.89) for user = 194.4.237.89
Group = 194.4.237.89, IP = 194.4.237.89, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
IP = 194.4.237.89, IKE Initiator: New Phase 1, Intf vlan200, IKE Peer 194.4.237.89  local Proxy Address 113.133.132.9, remote Proxy Address 172.31.50.20,  Crypto map (VPN_MAP)
Group = 194.4.237.89, Username = 194.4.237.89, IP = 194.4.237.89, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
Group = 194.4.237.89, IP = 194.4.237.89, Session is being torn down. Reason: User Requested
Group = 194.4.237.89, IP = 194.4.237.89, Removing peer from correlator table failed, no match!
Group = 194.4.237.89, IP = 194.4.237.89, Connection terminated for peer 194.4.237.89.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Group = 194.4.237.89, IP = 194.4.237.89, Received non-routine Notify message: Invalid ID info (18)
Group = 194.4.237.89, IP = 194.4.237.89, PHASE 1 COMPLETED
AAA retrieved default group policy (GroupPolicy_194.4.237.89) for user = 194.4.237.89
Group = 194.4.237.89, IP = 194.4.237.89, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Built outbound UDP connection 166426822 for wan:194.4.237.89/500 (194.4.237.89/500) to identity:41.207.42.170/500 (41.207.42.170/500)
IP = 194.4.237.89, IKE Initiator: New Phase 1, Intf vlan200, IKE Peer 194.4.237.89  local Proxy Address 113.133.132.9, remote Proxy Address 172.31.50.20,  Crypto map (VPN_MAP)

 

Is there someone help me to how to proceed to avid this issue ?

 

thanks,

 

1 REPLY
VIP Purple

First compare your crypto

First compare your crypto ACLs on both devices. Are they mirrored? And remember that a crypto-ACL of "permit any to any" is nearly always the wrong choice.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
445
Views
0
Helpful
1
Replies