12-28-2014 07:55 AM
Hello all,
We have a Cisco ASA 5510 that had a VPN tunnel established with the previous network administrator's home connection. When he resigned, we deleted the tunnel-group. I've noticed, however, in the logs we still see:
4 | Dec 28 2014 | 07:51:26 | Group = DefaultL2LGroup, IP = x.x.x.x, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting |
Where the x.x.x.x is the guy's home IP address. I tried grepping his IP in show run and all I found were an acl entry. Is there any way to get DefaultL2LGroup to stop trying to reestablish this tunnel?
Thanks!
Solved! Go to Solution.
12-29-2014 05:47 AM
Since you see
ERROR, had problems decrypting packet
I would say his configuration is still trying to send you encrypted packets.
12-28-2014 06:53 PM
hi,
you'll need to remove the crypto related config.
no crypto isakmp key <KEY> address <PREV ADMIN'S IP>
no crypto ipsec transform-set <TSET NAME>
no crypto map <CMAP NAME> <SEQUENCE NUM>
12-28-2014 07:10 PM
If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.
12-28-2014 10:12 PM
If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.
He says he has removed it on his end, and that our firewall is still trying to bring up a tunnel with him.
you'll need to remove the crypto related config.
no crypto isakmp key <KEY> address <PREV ADMIN'S IP>
no crypto ipsec transform-set <TSET NAME>
no crypto map <CMAP NAME> <SEQUENCE NUM>
When I do "no crypto isakmp key <key> address <ip> I get:
ERROR:no keyword not supported.Command deprecated
Usage: crypto { ca | dynamic-map | engine | ipsec | isakmp | key | map }
For more detailed help, please refer directly to the subcommands
If I understand everything right we are using the transform-set for other VPN connections as well.
For the last one, I don't see any crypto map entries with his IP as the peer.
12-29-2014 05:47 AM
Since you see
ERROR, had problems decrypting packet
I would say his configuration is still trying to send you encrypted packets.
12-29-2014 11:41 AM
That was the problem, he thought he had removed it from his end and hadn't. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide