cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10214
Views
5
Helpful
8
Replies

TUNNEL ACTIVE BUT NO ACCESS (Removing peer from correlator table failed, no match)

Jesutofunmi O
Level 1
Level 1

Hey Techies, 

I am trying to set up an L2L VPN between a Cisco iOS rtr and ASA firewall. I can't seem to figure out what's wrong. Here's config below;

Here is the error message:

Removing peer from correlator table failed, no match!

QM FSM error (P2 struct &0x00007fff2b819090, mess id 0xfda7a478)!

 

And config on both routers

 

 

ASA CONFIG

Removing peer from correlator table failed, no match!


object-group network BWL-VI-TO-ABUJA
network-object object BWL-VI2
network-object object BWL-VI3


PHASE 1
crypto ikev1 policy 20
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 86400

crypto isakmp enable outside

tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key xxxx

object network Abuja
subnet 172.16.130.0 255.255.255.128


PHASE 2

Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128

crypto ipsec transform-set VI-TO-ABUJA esp-aes esp-sha-hmac
crypto map outside-map 3 set peer 81.x.x.x
crypto map outside-map 3 match address VI-to-Abuja
crypto map outside-map 3 set transform-set VI-TO-ABUJA
crypto map outside-map interface outside


nat (INSIDE,outside) source static BWL-VI-TO-ABUJA BWL-VI-TO-ABUJA destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

 

 

 


iOS

PHASE 1

ip route 0.0.0.0 0.0.0.0 91.x.x.2 (gateway)

crypto isakmp policy xx
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key xxx address 41.x.x.x


PHASE 2
ip access-list extended Abuja-to-VI
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255

crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel

crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer 41.x.x.x
set transform-set LAGOSSET
macth address Abuja-to-VI

int vlan1
crypto map ABJ2ILPJ
ip nat outside

ROUTES AND NONATS

ip route 172.16.120.0 255.255.248.0 91.x.x.2

ip access-list extended NONAT-VPN-TRAFFIC
deny ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
deny ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
permit ip any any
ip nat inside source list NONAT-VPN-TRAFFIC interface vlan1 overload

 

 

PLEASE HELP

1 Accepted Solution

Accepted Solutions

Hello Guys, 

So I somewhat sorted it out someway;

1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.

 

2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map. 

 

access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any

ip nat inside source list 110 interface Vlan1 overload

route-map nonat permit 10
Match ip address 110

 

The tunnel came up but i encountered another challenge. I may put that up on another post.

 

Thank you Deepak and everyone who assisted in some way. Deeply appreciate.

This forum is helpful.

 

 

View solution in original post

8 Replies 8

Deepak Kumar
VIP Alumni
VIP Alumni

Please share the error message with details. 

Please run commands.

debug crypto isakmp 127

debug crypto ipsec127

sho crypto isakmp sa

sho crypto ipsec sa 

 

Ipsec command may vary with IOS image version. 

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, IKE got SPI from key engine: SPI = 0x053d3fc8
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, oakley constucting quick mode
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing blank hash payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing IPSec SA payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing IPSec nonce payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing proxy ID
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Transmitting Proxy Id:
Local subnet: 192.168.0.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 172.16.130.0 Mask 255.255.255.128 Protocol 0 Port 0
Jan 30 06:09:47 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, IKE Initiator sending Initial Contact
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing qm hash payload
Jan 30 06:09:47 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, IKE Initiator sending 1st QM pkt: msg id = 81002811
Jan 30 06:09:47 [IKEv1]IP = 81.x.x.x, IKE_DECODE SENDING Message (msgid=81002811) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 30 06:09:47 [IKEv1]IKE Receiver: Packet received on 41.x.x.x:500 from 81.x.x.x:500
Jan 30 06:09:47 [IKEv1]IP = 81.x.x.x, IKE_DECODE RECEIVED Message (msgid=89880999) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing hash payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing notify payload
Jan 30 06:09:47 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Received non-routine Notify message: No proposal chosen (14)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-5: Checking crypto map outside-map 2: skipping because 5-tuple does not match ACL ILUPEJU_LAN_TRAFFIC.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-5: Checking crypto map outside-map 2: skipping because 5-tuple does not match ACL ILUPEJU_LAN_TRAFFIC.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00A99000
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x2ff0ee1b)
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing blank hash payload
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing qm hash payload
Jan 30 06:09:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE SENDING Message (msgid=db6df04b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 06:09:57 [IKEv1]IKE Receiver: Packet received on 41.x.x.x:500 from 81.x.x.x:500
Jan 30 06:09:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE RECEIVED Message (msgid=a67f61a8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing hash payload
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing notify payload
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2ff0ee1b)

Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing ke payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing ISA_KE payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing nonce payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Received Cisco Unity client VID
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Received DPD VID
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Received xauth V6 VID
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing NAT-Discovery payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, computing NAT Discovery hash
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing NAT-Discovery payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, computing NAT Discovery hash
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, Connection landed on tunnel_group 81.x.x.x
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Generating keys for Initiator...
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing ID payload
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing hash payload
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Computing hash for ISAKMP
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing dpd vid payload
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 30 06:12:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 30 06:12:57 [IKEv1]IKE Receiver: Packet received on 41.x.x.x:500 from 81.x.x.x:500
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + NONE (0) total length : 84
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing ID payload
Jan 30 06:12:57 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, ID_IPV4_ADDR ID received
81.x.x.x
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing hash payload
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Computing hash for ISAKMP
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Processing IOS keep alive payload: proposal=10/3 sec.
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Starting IOS keepalive monitor: 25 sec.
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, Connection landed on tunnel_group 81.x.x.x
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Oakley begin quick mode
Jan 30 06:12:57 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, IKE Initiator starting QM: msg id = 898f61e8
Jan 30 06:12:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, PHASE 1 COMPLETED
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, Keep-alive type for this connection: DPD
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Starting P1 rekey timer: 82080 seconds.
IPSEC: New embryonic SA created @ 0x00007fff2bc41560,

# Jan 30 06:15:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, QM FSM error (P2 struct &0x00007fff2bcd2d50, mess id 0xe73fa829)!
Jan 30 06:15:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Removing peer from correlator table failed, no match!
Jan 30 06:15:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Session is being torn down. Reason: Lost Service
Jan 30 06:16:37 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, QM FSM error (P2 struct &0x00007fff2bcd2d50, mess id 0x8233c2a)!
Jan 30 06:16:37 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Removing peer from correlator table failed, no match!
Jan 30 06:16:37 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Session is being torn down. Reason: Lost Service

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 91.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Hi, 

There is some issue with Phase2 

Jan 30 06:12:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, PHASE 1 COMPLETED --> Phase 1 completed

IPSEC: New embryonic SA created @ 0x00007fff2bc41560, -----> Phase 2 (quick mode) begins.

 

Please check the Phase 2 settings as includes proxy IDs and IPsec policies and transform-set etc. 

For more things please attach running configuration from both ASA.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

So I removed the former config and reconfigured it. Please see config below;

 

ASA 5515x Version 9.2

crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400


crypto ipsec ikev1 transform-set ABUJASET esp-aes esp-sha-hmac


access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128


tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *******


crypto map outside-map 3 match address VI-Abuja
crypto map outside-map 3 set peer x.x.x.x
crypto map outside-map 3 set pfs group5
crypto map outside-map 3 set transform-set ABUJASET
crypto map outside-map 3 set reverse-route
crypto map outside-map interface outside

crypto isakmp enable outside
nat (INSIDE,outside) source static BWL-VI BWL-VIdestination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

 

 

 

 

 

Cisco router iOS (2900 series, Version 15.2)

 

crypto isakmp policy 30
encryption ae

 
 

s
hash sha
authentication pre-share
group 2

crypto isakmp key ******** address X.X.X.X


ip access-list extended Abuja-VI
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255


crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel

crypto map ABJ2IPJ 3 ipsec-isakmp
set peer X.X.X.X
set transform-set LAGOSSET
match address Abuja-VI
set pfs group5

 

SEE BELOW SHOW COMMAND OUTPUT

 

 

sh crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

 

1. Please find attached the complete configuration on both ASA and router 2900.

2. I configured route map with an overload on the outside interface (vlan1) so that LAN traffic on 2900 is not NAT'ed but it stops the other VPN from working, so i removed it from the configuration.

 

FROM ASA

sh crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

KINDLY ASSIST!!!

Hello Guys, 

So I somewhat sorted it out someway;

1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.

 

2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map. 

 

access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any

ip nat inside source list 110 interface Vlan1 overload

route-map nonat permit 10
Match ip address 110

 

The tunnel came up but i encountered another challenge. I may put that up on another post.

 

Thank you Deepak and everyone who assisted in some way. Deeply appreciate.

This forum is helpful.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: