cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30210
Views
5
Helpful
12
Replies

ASA IPSec Site to Site VPN error

smolz
Level 4
Level 4

I am trying to get a site to site vpn up and running:

All I am seeing is the following:

%ASA-5-750002: Local:x.x.x.x:500 Remote:x.x.x.x:500 Username:Unknown Received a IKE_INIT_SA request

%ASA-3-751002: Local:x.x.x.x:4500 Remote:x.x.x.x:4500 Username: x.x.x.x No pre-shared key or trustpoint configured for self in tunnel group x.x.x.x

%ASA-4-750003: Local:x.x.x.x:4500 Remote:x.x.x.x:4500 Username:x.x.x.x Negotiation aborted due to ERROR: Failed to locate an item in the database

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Do you have the following configurations

tunnel-group type ipsec-l2l

tunnel-group type ipsec-attributes

ikev1 pre-shared-key

Or depending on software it might be

tunnel-group type ipsec-l2l

tunnel-group type ipsec-attributes

pre-shared-key

- Jouni

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy1

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

Hi,

Does the log messages IP address match exactly to the one in the "tunnel-group" configurations?

- Jouni

yes

Hello Guys,

 

I'm facing the same issue.

 

Here the tunnel-group is configured but it's like the ASA doesn't recgonize it.

 

Any help?

 

Regards.

 

Hi Allen,

 

Could you please share the logs that you are getting and the output of following commands from both the ASA's involved in building tunnel:

1. Show cry isa sa

2. show cry ipsec sa

3. show run tunnel-group

You can hide the ip address by using xx to saving it from unwanted people. 

Once we have this information, I will be able to tell you where you are going wrong.

 

 

Thanks,

Vishnu 


Hello Vishnu

hope you are doing fine.


First of all thank you very much for your answer.

The tunnel-group configuration related to this remote ip address is:

tunnel-group 104.41.xxx.xxx type ipsec-l2l
tunnel-group 104.41.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key *****


this remote ip address doesn't even show up in debugs or "show crypto ikev1..." or "show crypto ipsec sa" and etc.


I'm getting some messagen on the ASDM logging:

%ASA-5-750002
%ASA-3-751002
%ASA-4-750003


Looks like the ASA is completely ignoring these tunnel-group sentences, I removed then to do a test and the sympton is exactly the same without then.

 

 

Hi Allan,

 

I am not sure if you are using Ikev1 or Ikev2. Also the configuration that you have shared is from one side only. I need to see complete configuration from both the ends. Could you please share it here after hiding ip and group information. 

We need it from both the sides to check if you are missing something on the ASA or not.

 

 

Thanks,

Vishnu 

Hey Vishnu,


I'm using ikev1.


The other side is a problem, it's a VPN with Microsoft using Azure, kind of an autoconfigurable VPN that at the end generates a document containing the key and the protocols to be used (follow attached).

I configured the ASA using exactly these parameters, except by names, crypto map number and etc.

The strange thing is the ASA not even "seeing" the key we configured for the peer, it's like it's not even there.

Thanks again.

Jeet Kumar
Cisco Employee
Cisco Employee

Is it possible for you to post complete debugs?

Because you get this error message if the IP that you are coming from there is no pre-shared key configured for it.

If you cannot paste teh debugs, double check the connection is not going to the dynamic map or the default l2l tunnel-group.

If you can paste the debugs and some portion of the crypto map configuration. It would  help us to diagnose the issue better.

Thanks

Jeet Kumar

I know , This is an old post but do we have any resolution or root cause for this . Can somebody help please . I am also getting the same error when i am configuring a L2L VPN between Azure and ASA

any solution for this ?

i too have same error Ikev2 erro azure.jpg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: