https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954658#M925230 did you debug and check...???<BR />go to FTD cli and enter system support diagnostic-cli, then debug cryptomap and check y this is failing. Thu, 07 Nov 2019 10:45:11 GMT Abheesh Kumar 2019-11-07T10:45:11Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954600#M925224 <P>Hello everyone</P><P>&nbsp;</P><P>I have been working with Cisco ASA's for several years. Im very used to the &lt;crypto maps&gt; setup for IKE1 and IKE2 tunnels on the old ASA code. Now Im working with a 2130 with version 6.5 againt ASA's with 8.4 code.</P><P>&nbsp;</P><P>My problem now is that I have a lot of (cisco asa ipsec removing peer from correlator table failed no match) and Lost Service error messages. This is usually from wrong definition of subnets on each side.</P><P>&nbsp;</P><P>When setting up the ASA's I use the old method like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5505-ipsec-error.JPG" style="width: 501px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/48795iE4E06C9A19EEBA71/image-size/large?v=v2&amp;px=999" role="button" title="5505-ipsec-error.JPG" alt="5505-ipsec-error.JPG" /></span></P><P>On the 2130 it goes like this for site A and B:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2130-ipsec-error1.JPG" style="width: 349px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/48798i4FF4FB8C8687BCB1/image-size/large?v=v2&amp;px=999" role="button" title="2130-ipsec-error1.JPG" alt="2130-ipsec-error1.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2130-ipsec-error2.JPG" style="width: 331px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/48799iAF3DF8BC2F59E673/image-size/large?v=v2&amp;px=999" role="button" title="2130-ipsec-error2.JPG" alt="2130-ipsec-error2.JPG" /></span></P><P>&nbsp;</P><P>To me it seems like the definitons is somewhat wrong when using this method on the 2130. You match everything against eachother. Not subnet to subnet like the old ASA code.</P><P>&nbsp;</P><P>Can anyone help med understand what is wrong ?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 17:40:24 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954600#M925224 Jon Are Endrerud 2020-02-21T17:40:24Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954634#M925226 <P>Hi Jon,</P><P>Its simple, you need to add your subnet as NODE A and choose your firewall as device &amp; the other end subnet as NODE B and choose EXTRANET and specify the pubic IP of other end</P><P>&nbsp;</P><P>Lets take example:</P><P>Your Organisation subnet : 192.168.10.0/24, 192.168.20.0//24</P><P>create a object group with these two subnets and add this to NODE A</P><P>&nbsp;</P><P>Other End Subnet: 10.10.10.0/24, 10.10.20.0/24</P><P>reate a object group with these two subnets and add this to NODE B</P><P>&nbsp;</P><P>Then create the IKEv1 or IKEv2 polices and apply, Then create a identity nat rule for the above subnet and allow that traffic in ACP.</P><P>&nbsp;</P><P>Hope This Helps</P><P>Abheesh</P> Thu, 07 Nov 2019 09:41:21 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954634#M925226 Abheesh Kumar 2019-11-07T09:41:21Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954639#M925227 <P>If you look at the original post, you can se that this has been done. My problem is errors and that the tunnel in some cases only can be brought up from one side.&nbsp;</P><P>&nbsp;</P><P>If you have a lot of subnets thrown togheter on the 2130 and you have a strict crypto map on the other side, my assumption is that problems like this can arise. Im looking into using an extended access list now. Testing with a 5506X in my office.</P><P>&nbsp;</P><P>I would be gratefull if anyone can confirm my assumption.</P> Thu, 07 Nov 2019 09:49:59 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954639#M925227 Jon Are Endrerud 2019-11-07T09:49:59Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954642#M925228 I have done this with subnets without any issues, Did you allow that in ACP. Thu, 07 Nov 2019 10:01:31 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954642#M925228 Abheesh Kumar 2019-11-07T10:01:31Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954652#M925229 <P>Yes, NAT and ACL are all in order.</P> Thu, 07 Nov 2019 10:34:25 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954652#M925229 Jon Are Endrerud 2019-11-07T10:34:25Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954658#M925230 did you debug and check...???<BR />go to FTD cli and enter system support diagnostic-cli, then debug cryptomap and check y this is failing. Thu, 07 Nov 2019 10:45:11 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954658#M925230 Abheesh Kumar 2019-11-07T10:45:11Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954673#M925231 <P>Seems like there are larger problems with my 2130.&nbsp;</P><P>&nbsp;</P><P>Ipsecs with only one subnet to other fw like checkpoint are also failing. They suddenly stalls and I have to run "clear crypto ipsec sa peer "xxxx"" to get it working again.</P> Thu, 07 Nov 2019 11:10:43 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954673#M925231 Jon Are Endrerud 2019-11-07T11:10:43Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954683#M925232 <P>Please check hit count in by entering show access list command&nbsp;</P><P>&nbsp;</P><P>You will get access list information from show running configuration | in cypto&nbsp;</P><P>&nbsp;</P><P>Check what access list showing in this vpn and check that access list by show access list ( acl name) and you will see hit count if there is no hitcount please re add it .</P><P>2. Second option is to create extended ACL and set source destination subnet sentence as per your requirement&nbsp;</P><P>&nbsp;</P><P>it is compulsory that all subnet added here which should be entered in peer end device also with same CIDR&nbsp;</P><P>&nbsp;</P><P>Please check and let us know .</P><P>&nbsp;</P><P>Regards,</P><P>Harmesh Yadav</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 07 Nov 2019 11:31:19 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954683#M925232 harmesh88 2019-11-07T11:31:19Z https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954728#M925233 <P>Thanks for answers. I have now opened a TAC case since these errors seems to be beyond misconfiguration.&nbsp;</P><P>&nbsp;</P><P>ACL, NAT, cryptos and encryption (pfs) have been checked out.</P><P>&nbsp;</P><P>When trying to get the SA up from remote site, it comes up with "drop" on VPN (removing peer from correlator table failed, no match!) when doing the same from the 2130, the tunnel comes up with now errors on the remote site log.</P><P>&nbsp;</P><P>All traffic passes as expected when the SA's are up. But when "idle timeout" or "Lost Service" show up, the problems restarting the SA's continues.</P> Thu, 07 Nov 2019 13:09:16 GMT https://community.cisco.com/t5/network-security/cisco-2130-s2s-ipsec-trouble/m-p/3954728#M925233 Jon Are Endrerud 2019-11-07T13:09:16Z