Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
5
Replies

DefaultL2LGroup keeps trying to connect to an old IP address

Go to solution
tedbronson
Level 1
Level 1

‎12-28-2014 07:55 AM

Hello all,

 

We have a Cisco ASA 5510 that had a VPN tunnel established with the previous network administrator's home connection.  When he resigned, we deleted the tunnel-group.  I've noticed, however, in the logs we still see:

4Dec 28 201407:51:26     Group = DefaultL2LGroup, IP = x.x.x.x, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

 

Where the x.x.x.x is the guy's home IP address. I tried grepping his IP in show run and all I found were an acl entry.  Is there any way to get DefaultL2LGroup to stop trying to reestablish this tunnel?

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tedbronson

‎12-29-2014 05:47 AM

Since you see 

     ERROR, had problems decrypting packet

I would say his configuration is still trying to send you encrypted packets.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
johnlloyd_13
Level 9
Level 9

‎12-28-2014 06:53 PM

hi,

you'll need to remove the crypto related config.

no crypto isakmp key <KEY> address <PREV ADMIN'S IP>

no crypto ipsec transform-set <TSET NAME>

no crypto map <CMAP NAME> <SEQUENCE NUM>

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-28-2014 07:10 PM

If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.

0 Helpful

Go to solution
tedbronson
Level 1
Level 1
In response to Marvin Rhoads

‎12-28-2014 10:12 PM

If he still has the L2L VPN setup at his end, the only thing you can do is to filter his address, preferably on the upstream router - if that's under your control - or have him remove his end's config.

 

He says he has removed it on his end, and that our firewall is still trying to bring up a tunnel with him.

 

you'll need to remove the crypto related config.

no crypto isakmp key <KEY> address <PREV ADMIN'S IP>

no crypto ipsec transform-set <TSET NAME>

no crypto map <CMAP NAME> <SEQUENCE NUM>

 

When I do "no crypto isakmp key <key> address <ip> I get:

ERROR:no keyword not supported.Command deprecated
Usage: crypto { ca | dynamic-map | engine | ipsec | isakmp | key | map  }
        For more detailed help, please refer directly to the subcommands

 

 

If I understand everything right we are using the transform-set for other VPN connections as well.

For the last one, I don't see any crypto map entries with his IP as the peer.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tedbronson

‎12-29-2014 05:47 AM

Since you see 

     ERROR, had problems decrypting packet

I would say his configuration is still trying to send you encrypted packets.

 

0 Helpful

Go to solution
tedbronson
Level 1
Level 1
In response to Marvin Rhoads

‎12-29-2014 11:41 AM

That was the problem, he thought he had removed it from his end and hadn't. Thanks!

0 Helpful
Customers Also Viewed These Support Documents