07-13-2009 07:12 AM - edited 03-11-2019 08:54 AM
Hi All
I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:
Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!
Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!
Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!
My configuration for VPN is:
ACL:
access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
VPN:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Internet_map 20 match address Internet_cryptomap_20_1
crypto map Internet_map 20 set peer 186.1.10.74
crypto map Internet_map 20 set transform-set ESP-3DES-MD5
crypto map Internet_map 20 set security-association lifetime seconds 86400
crypto map Internet_map 20 set security-association lifetime kilobytes 4608000
crypto map Internet_map 20 set nat-t-disable
crypto map Internet_map 40 match address Internet_cryptomap_40
crypto map Internet_map 40 set peer 165.98.233.180
crypto map Internet_map 40 set transform-set ESP-3DES-MD5
crypto map Internet_map 40 set security-association lifetime seconds 86400
crypto map Internet_map 40 set security-association lifetime kilobytes 4608000
crypto map Internet_map 60 match address Internet_cryptomap_60
crypto map Internet_map 60 set peer 200.50.2.114
crypto map Internet_map 60 set transform-set ESP-3DES-MD5
crypto map Internet_map 60 set security-association lifetime seconds 28800
crypto map Internet_map 60 set security-association lifetime kilobytes 4608000
crypto map Internet_map interface Internet
isakmp identity address
isakmp enable Internet
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 186.1.10.74 type ipsec-l2l
tunnel-group 186.1.10.74 ipsec-attributes
pre-shared-key *
tunnel-group 165.98.233.180 type ipsec-l2l
tunnel-group 165.98.233.180 ipsec-attributes
pre-shared-key *
tunnel-group 200.50.2.114 type ipsec-l2l
tunnel-group 200.50.2.114 ipsec-attributes
pre-shared-key *
Thanks in Advanced
Regards
07-17-2009 01:47 PM
Removing peer from correlator table failed, no match!
This typically means one of a few things including, incorrect peer address configured in the L2L setup page, mis-matched local and remote newtork definitions, Agressive Mode vs. Main Mode misconfig, and IKE Proposal parameters not matching up on both ends.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide