Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1829
Views
0
Helpful
8
Replies

Constant error messages in ASA 5510

Michael Bradt
Level 1
Level 1

‎11-28-2012 02:14 PM

I am constantly getting a few errors in my ASA 5510 and 5505 from the same IP. The IP of my NMS server, which has also stopped recieving SNMP data from these two VPNs.

Syslog Id: 713048 Error process payload: Payload ID: 1

Syslog ID: 713902 Removing peer from peer table failed. No Match.

Syslog ID: 713903 Error: Unable to remove PeertblEntry

I have tried to configure ACL to let traffic through. SNMP traffic to be more precise, but since I am fairly new to cisco firewalls and SNMP in general this has proven very difficult.

Please advise

Labels:
0 Helpful
8 Replies 8

stephen.stack
Level 4
Level 4

‎11-28-2012 03:30 PM

Hi

It would look like a general VPN failure for one of the VPN tunnels terminated on the ASA. You would have to send some configurations of boths side for trouelshootings. Please sanitize your configurations before you post them. i.e.no passwords, real IPs etc..

Just send the VPN potion of the configurations

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

stephen.stack
Level 4
Level 4
In response to stephen.stack

‎11-28-2012 03:31 PM

Wrong section too by the way. Best moved over to the security section.

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Michael Bradt
Level 1
Level 1
In response to stephen.stack

‎11-29-2012 07:25 AM

I highlighted where the NMS/main server ip was mentioned. Hope that helps.

Please let me know if you need anything else.

Also, I get those three mentioned errors on the 5510, and on the 5505 I only get the first error, Error process payload. The NMS is behind the 5505.

ASA 5510

access-list Outside_access_in extended permit udp any any
access-list Outside_access_in extended permit udp host ASA 5510 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_UDP_4
access-list Outside_access_in extended permit icmp host SBS2008Server\NMS any
access-list outside_1980_cryptomap extended permit ip ASA5505subnet 255.255.255.0 ASA5510Subnet 255.255.255.0
access-list outside_50_cryptomap extended permit ip ASA5505subnet 255.255.255.0 ASA5510subnet 255.255.255.0
access-list snmp extended permit udp any eq snmptrap any
access-list snmp extended permit udp any any eq snmp
access-list snmp extended permit udp host SBS2008Server\NMS any eq snmp
access-list snmp extended permit udp host ASA5505 any eq snmp
access-list outside_2450_cryptomap extended permit ip ASA5505subnet 255.255.255.0 ASA5510subnet 255.255.255.0
crypto map INSIDE_map 2 match address INSIDE_cryptomap
crypto map INSIDE_map 2 set peer SBS2008Server\NMS
crypto map INSIDE_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INSIDE_map 2 set security-association lifetime seconds 28800
crypto map INSIDE_map 2 set security-association lifetime kilobytes 4608000


5505

access-list Colo-CMAP-20 extended permit ip ASA5510subnet 255.255.255.0 5505subnet 255.255.255.0
access-list Colo-CMAP-20 extended permit ip 5505subnet 255.255.255.0 5510subnet 255.255.255.0
access-list nonat extended permit ip ASA5510subnet 255.255.255.0 5505subnet 255.255.255.0
access-list Inbound extended permit udp 5510subnet 255.255.255.0 5505subnet 255.255.255.0 object-group DM_INLINE_UDP_1
access-list SplitTunnel extended permit ip 5505subnet 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list NBABranch_splitTunnelAcl standard permit 5505subnet 255.255.255.0
access-list SNMP extended permit udp host SBS2008Server/NMS any object-group DM_INLINE_UDP_3

nat (inside,any) source static obj-5505subnet obj-5505subnet destination static obj-5510subnet obj-5510subnet

Sorry about that. I wasn't sure what you actually needed. Please let me know if there is anything else you need.

Thank you for you time.

0 Helpful

stephen.stack
Level 4
Level 4
In response to Michael Bradt

‎11-30-2012 04:48 AM

Thanks, thats a lot of config info there, and probably more that whats needed. Why dont you edit and remove all of this configuration, Then update this thread with the actual ACLs for the affected VPN. I am guessing this might be an ACL issue at this time.

Regards

Stephen

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Michael Bradt
Level 1
Level 1
In response to stephen.stack

‎11-30-2012 07:24 AM

Edited the post for you.

0 Helpful

stephen.stack
Level 4
Level 4
In response to Michael Bradt

‎11-30-2012 07:31 AM

Hi,

Nearly but not quite there. On the 5510, for the Crypto map line "crypto map INSIDE_map 2 match address INSIDE_cryptomap"

I do not see the access list INSIDE_cryptomap

Also, will need to see the same/similar configuration lines on the 5505

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Michael Bradt
Level 1
Level 1
In response to stephen.stack

‎11-30-2012 09:49 AM

access-list INSIDE_cryptomap extended permit ip NBACORP 255.255.255.0 NBACORP 255.255.255.0

This is the only ACL for the INSIDE_cryptomap that I could fine. NBACorp is the 5510 subnet. This ACL is set on the 5510. There isn't one set, that I could see, on the 5505.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michael Bradt

‎11-30-2012 06:18 PM

You're focusing on the 5505 and 5510. The problem in the original post is between the 5510 (one end of a VPN tunnel) and the peer at the other end  (SBS2008Server/NMS).

Apparently you have a VPN between them and the cryptomaps do not match thus every time the SBS2008Server/NMS peer tries to establish an IPsec security association with the ASA it fails. That's the most common cause of the error message 713902. The others are related to that root cause.

It can be a bit tricky to troubleshoot remotely. As as noted above, one needs to compare the configurations of both ends of the VPN. You can troubleshoot from one end (the 5510) using debug but it can be pretty verbose, especially for someone unfamiliar with VPNs (even for those who are very familiar!). If you want to give it a shot, the commands:

debug crypro condition peer

debug crypto isakmp sa 7

debug crypto ipsec 7

...will create log entries that tell you what's going on. When you've collected some, "undebug all" will turn off that logging.

0 Helpful
Customers Also Viewed These Support Documents