Rejecting IPSec tunnel (ASA to ASA VPN)

ajobrien5 · ‎05-07-2009

One of our ASA's went down for an unknown reason and needed to be rebooted. After coming back up, our site to site VPN no longer works. I've tried to refresh it with a no/crypto map to no avail. Here's the syslog errors being reported by the one that went down:

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, Removing peer from correlator table failed, no match!

3|May 07 2009 09:30:35|713902: Group = A.B.C.D, IP = A.B.C.D, QM FSM error (P2 struct &0x2e6acd8, mess id 0xc77a9d35)!

3|May 07 2009 09:30:35|713061: Group = A.B.C.D, IP = A.B.C.D, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy X.Y.Z.0/255.255.255.0/0/0 on interface outside

3|May 07 2009 09:30:35|713119: Group = A.B.C.D, IP = A.B.C.D, PHASE 1 COMPLETED

4|May 07 2009 09:30:35|713903: Group = A.B.C.D, IP = A.B.C.D, Freeing previously allocated memory for authorization-dn-attributes

The remote proxy 0.0.0.0 seems like the sore thumb, but I'm at a loss, and Google seems to be too.

Thanks in advance.

Collin Clark · ‎05-07-2009

Here's a great VPN troubleshooting doc.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

It's failing on IPSec, so make sure your ACL's and your IPSec policies match.

Hope that helps.

ajobrien5 · ‎05-07-2009

Thanks for the reply.

Apparently the ACL got corrupted with the outage this morning. Rebuilding the crypto map on both ends solved the problem.

I'll keep that guide in my back pocket for next time though.