Solved: L2L error codes

jrmdynamac · ‎06-06-2011

OK, I finally got the VPN tunnel between 2 asa 5505's up and running, but I have some error codes on the initiator side that I can not figure out.

Here is what I get on errors:

5

Jun 06 2011

15:17:59

713257

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

3

Jun 06 2011

15:17:59

713048

IP = XXX.XXX.199.210, Error processing payload: Payload ID: 1

3

Jun 06 2011

15:17:59

713902

IP = XXX.XXx.199.210, Removing peer from peer table failed, no match!

4

Jun 06 2011

15:17:59

713903

IP = XXX.XXXX.199.210, Error: Unable to remove PeerTblEntry

I have looked at the Crypto transforms on both sides, and they match just fine as far has the DH ID code, Group Number and the encryption. The remote side however, does not have any of there errors.

Is this something that I have skipped over, or missed that I should be looking for?

The IP address that is listed above is not in my static addresses, not sure where theose are coming from. I believe that they are outside public IP's.

Thanks - Jon

Thotsaphon Lueangwattanaphong · ‎06-09-2011

Hi,

You can use ACL to deny this IP address comming in WAN interface and permit anything else.

HTH,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎06-06-2011

Hi,

The error indicates that IKE proposal is mismatched(Phase I). It seems that XXX.XXXX.199.210 was trying to connect to your device.

HTH,

Toshi

jrmdynamac · ‎06-09-2011

Not sure what this IP is pointing to. I only have 1 IP adress in that range and it is pointed to the outside interface of the ASA. I continually get errors on this IP. IS there a way that I can block it from attempting to connect?

-Jon

Thotsaphon Lueangwattanaphong · ‎06-09-2011

Hi,

You can use ACL to deny this IP address comming in WAN interface and permit anything else.

HTH,

Toshi