https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158531#M960438 <HTML><HEAD></HEAD><BODY><P>Huw</P><P></P><P>DES instead of 3DES would certainly explain the error messages in your original post. If you are able to bring up the tunnel but not to route anything over it, my first suggestion would be to check the access list that identifies traffic for the VPN tunnel for possible omissions/mismatches.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 08 Jan 2009 18:10:41 GMT Richard Burts 2009-01-08T18:10:41Z https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158529#M960434 <P>Hi all.</P><P></P><P>One of our customers has an asa 5505. We have 4 remote sites working fine (the remote sites have 1841's with the security pack, and have all formed tunnels in OK)</P><P></P><P>We'ev visited our last site to be configured, set the router up exactly as the others, but we're now getting the below errors, taken from the head office ASA debug log.</P><P></P><P>The engineer assures me the shared key is correct. What else could be the issue?</P><P></P><P>5 Jan 08 2009 04:58:41 713904 IP = 81.179.5.13, Received encrypted packet with no matching SA, dropping</P><P>4 Jan 08 2009 04:58:41 113019 Group = 81.179.5.13, Username = 81.179.5.13, IP = 81.179.5.13, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch</P><P>3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, Removing peer from correlator table failed, no match!</P><P>3 Jan 08 2009 04:58:41 713902 Group = 81.179.5.13, IP = 81.179.5.13, QM FSM error (P2 struct &amp;0x3d584f8, mess id 0x40198ae4)!</P><P>5 Jan 08 2009 04:58:41 713904 Group = 81.179.5.13, IP = 81.179.5.13, All IPSec SA proposals found unacceptable!</P><P>3 Jan 08 2009 04:58:41 713119 Group = 81.179.5.13, IP = 81.179.5.13, PHASE 1 COMPLETED</P><P>6 Jan 08 2009 04:58:41 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 81.179.5.13</P><P>4 Jan 08 2009 04:58:41 713903 Group = 81.179.5.13, IP = 81.179.5.13, Freeing previously allocated memory for authorization-dn-attributes</P> Fri, 21 Feb 2020 11:12:14 GMT https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158529#M960434 davieshuw 2020-02-21T11:12:14Z https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158530#M960437 <HTML><HEAD></HEAD><BODY><P>Ok fixed this. The tunnel for this particular site had des configured on the ASA, we're actually using 3des. Rectified now the tunnels formed OK. Can't route anything over it mind.. but thats another story..</P></BODY></HTML> Thu, 08 Jan 2009 13:59:38 GMT https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158530#M960437 davieshuw 2009-01-08T13:59:38Z https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158531#M960438 <HTML><HEAD></HEAD><BODY><P>Huw</P><P></P><P>DES instead of 3DES would certainly explain the error messages in your original post. If you are able to bring up the tunnel but not to route anything over it, my first suggestion would be to check the access list that identifies traffic for the VPN tunnel for possible omissions/mismatches.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 08 Jan 2009 18:10:41 GMT https://community.cisco.com/t5/network-security/one-remote-site-can-t-vpn-in-getting-sa-errors-asa5505/m-p/1158531#M960438 Richard Burts 2009-01-08T18:10:41Z