09-27-2013 06:04 PM
Trying to build L2L VPN with AWS VPC. Run into problem at the Phase-2.
local3.notice %ASA-5-713119: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 1 COMPLETED
local3.err %ASA-3-713061: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface Outside-IF
local3.err %ASA-3-713902: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0x76073780, mess id 0xe4fcc2a0)!
local3.err %ASA-3-713902: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!
local3.notice %ASA-5-713259: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Session is being torn down. Reason: crypto map policy not found
local3.warn %ASA-4-113019: Group = xx.xx.xx.xx, Username = xx.xx.xx.xx, IP = xx.xx.xx.xx, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
I check my config against the "AWS ASA template", and I can't figure out why it wasn't working.
Of course when try to get help from AWS support, they keep saying that it is my ASA configuraiton problem causing that.
They suggest add the following to my ASA config, but I am not convinced that those are my trouble.
crypto ipsec df-bit clear-df outside_interface
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption Outside-IF
sysopt connection tcpmss 1387
Any suggestions? BTW, I am running ASA version 8.4.6.
09-27-2013 06:45 PM
Check if the encryption algorithm matches on the phase 2
09-27-2013 08:09 PM
Match your crypto access-list entries on both the devices as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide