Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12813
Views
0
Helpful
5
Replies

asa 5510 vpn not connecting

squidwardseabob93
Level 1
Level 1

‎07-26-2012 02:50 AM - edited ‎03-04-2019 05:04 PM

Hi,

I am getting the error "cypto map policy not found" when attempting to connect the VPN. My running config is below.

I am attempting to connect from a draytek 2820.

Please advise:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password H4jV5cejsN/7lxxb encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.15.0 Warehouse description Warehouse

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 195.171.223.67 255.255.240.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.32.233 255.255.255.0

!

interface Ethernet0/2

nameif inside2

security-level 50

ip address 192.168.33.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended deny ip 192.168.32.0 255.255.255.0 Warehouse 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 192.168.32.0 255.255.255.0 Warehouse 255.255.255.0

access-list inside2_access_in extended permit ip any any

access-list inside_access_out extended permit ip any any

access-list inside2_access_out extended permit ip any any

access-list inside2_access_out extended permit ip interface inside2 interface inside

access-list inside2_access_out extended permit tcp any any

access-list inside_nat0_outbound extended permit ip 192.168.32.0 255.255.255.0 Warehouse 255.255.255.0

access-list outside_access_in extended permit ip Warehouse 255.255.255.0 192.168.32.0 255.255.255.0

pager lines 24

logging enable

logging trap warnings

logging asdm informational

logging host inside 192.168.32.1

mtu outside 1500

mtu inside 1500

mtu inside2 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside2) 1 0.0.0.0 0.0.0.0

static (inside,inside2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group inside2_access_in in interface inside2

access-group inside2_access_out out interface inside2

route outside 0.0.0.0 0.0.0.0 195.171.223.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.32.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set connection-type answer-only

crypto map outside_map 1 set peer 81.137.231.247

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable inside2

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.33.100-192.168.33.200 inside2

dhcpd dns 192.168.32.1 192.168.32.2 interface inside2

dhcpd option 3 ip 192.168.33.1 interface inside2

dhcpd enable inside2

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

tunnel-group 81.137.231.247 type ipsec-l2l

tunnel-group 81.137.231.247 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1ea6dbd4b54aad68c1215b9a359e71bc

: end

asdm location Warehouse 255.255.255.0 inside

no asdm history enable

Labels:
0 Helpful
5 Replies 5

squidwardseabob93
Level 1
Level 1

‎07-26-2012 03:41 AM

The exact errors i am getting are

Reason: crypto map policy not found

=81.137.231.247, IP = 81.137.231.247, Removing peer from correlator table failed, no match!

=81.137.231.247, IP = 81.137.231.247, QM FSF error (P2 struct &0xab3b3878, mess id 0xf571b0d0)!

matching crypto map entry for remote proxy 192.168.16.0/255.255.255.0/0/0 local proxy 192.168.32.0/255.255.255.0/0/0 interface outside

HELP!!

Thanks

Christian

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to squidwardseabob93

‎07-26-2012 03:57 AM

Unless I'm missing it, I see that your outside crypto map isn't permitting any traffic to bring the tunnel up:

access-list outside_1_cryptomap extended deny ip 192.168.32.0 255.255.255.0 Warehouse 255.255.255.0

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

squidwardseabob93
Level 1
Level 1
In response to John Blakley

‎07-26-2012 04:09 AM

Hi John,

thanks for your reply.

I  spotted that shortly after changed this line to permit however it still doesnt work

I also notice the error -81.137.231.247, received encrypted packet with no matching sa. dropping

This is directly after a phase 1 complete.

Thanks

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to squidwardseabob93

‎07-26-2012 04:20 AM

Does the other side suppport 3des-sha?

HTH, John *** Please rate all useful posts ***
0 Helpful

naresh.narang
Level 1
Level 1

‎07-26-2012 06:30 AM

Use debug crypto isakmp to see which one you are missing and then add that.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card