04-16-2023 10:47 AM
hi
this issue on VPN initiated between cisco asa and cisco rv 320 router
the vpn tunnel is estableshed but this IKEV1 error appear in debud
Apr 12 21:05:43 [IKEv1]Group = DefaultL2LGroup, IP = 177.8.169.134, Session is being torn down. Reason: crypto map policy not found
Apr 12 21:06:15 [IKEv1]Group = DefaultL2LGroup, IP = 177.8.169.134, QM FSM error (P2 struct &0xaef71010, mess id 0xd07a6c4f)!
Apr 12 21:06:15 [IKEv1]Group = DefaultL2LGroup, IP = 177.8.169.134, Removing peer from correlator table failed, no match!
04-16-2023 11:10 AM
Hi
How the output of 'show run crypto map"
Looks like?
04-17-2023 02:37 PM
Hello Flavio iam the main owner of the case and this is the crypto map output:
FWGT-INASA1# show run crypto map
crypto map outside_map 1 match address Outside_Primary_cryptomap
crypto map outside_map 1 set peer 200.205.184.66
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address Outside_Primary_cryptomap_2
crypto map outside_map 3 set peer 200.205.184.66
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn-test 10 match address vpn-test
crypto map vpn-test 10 set peer 200.205.184.66
crypto map vpn-test 11 match address VPN_ACL
crypto map vpn-test 11 set peer 200.205.184.66
crypto map vpn-test 11 set ikev1 transform-set test-set
crypto map rvasa 1 match address vpn
crypto map rvasa 1 set peer 200.205.184.6 200.205.184.66
crypto map rvasa 1 set ikev1 transform-set asarv
crypto map rvasa interface Outside_Primary
crypto map asarv 1 match address vpn
crypto map asarv 1 set peer 200.205.184.66
crypto map asarv 1 set ikev1 transform-set asarv
FWGT-INASA1#
04-16-2023 12:46 PM
there is static and dynamic Crypto map in ASA
I need to see config of ASA
04-18-2023 03:50 AM
FWGT-INASA1# show run crypto map
crypto map outside_map 1 match address Outside_Primary_cryptomap
crypto map outside_map 1 set peer 200.205.184.66
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address Outside_Primary_cryptomap_2
crypto map outside_map 3 set peer 200.205.184.66
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn-test 10 match address vpn-test
crypto map vpn-test 10 set peer 200.205.184.66
crypto map vpn-test 11 match address VPN_ACL
crypto map vpn-test 11 set peer 200.205.184.66
crypto map vpn-test 11 set ikev1 transform-set test-set
crypto map rvasa 1 match address vpn
crypto map rvasa 1 set peer 200.205.184.6 200.205.184.66
crypto map rvasa 1 set ikev1 transform-set asarv
crypto map rvasa interface Outside_Primary
crypto map asarv 1 match address vpn
crypto map asarv 1 set peer 200.205.184.66
crypto map asarv 1 set ikev1 transform-set asarv
there are many crpyto map in one FW!! are there multi OUT interface ???
04-18-2023 01:48 PM
for no now but some crypto maps can be related to to same tunnel that have the issue
04-18-2023 01:50 PM
You can not config multi crypto map under same interface' BUT you can config multi seq of same crypto map under same interface.
04-18-2023 01:52 PM
can you give further details
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide