01-30-2018 05:38 AM - edited 03-12-2019 04:58 AM
Hey Techies,
I am trying to set up an L2L VPN between a Cisco iOS rtr and ASA firewall. I can't seem to figure out what's wrong. Here's config below;
Here is the error message:
Removing peer from correlator table failed, no match!
QM FSM error (P2 struct &0x00007fff2b819090, mess id 0xfda7a478)!
And config on both routers
ASA CONFIG
Removing peer from correlator table failed, no match!
object-group network BWL-VI-TO-ABUJA
network-object object BWL-VI2
network-object object BWL-VI3
PHASE 1
crypto ikev1 policy 20
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key xxxx
object network Abuja
subnet 172.16.130.0 255.255.255.128
PHASE 2
Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
crypto ipsec transform-set VI-TO-ABUJA esp-aes esp-sha-hmac
crypto map outside-map 3 set peer 81.x.x.x
crypto map outside-map 3 match address VI-to-Abuja
crypto map outside-map 3 set transform-set VI-TO-ABUJA
crypto map outside-map interface outside
nat (INSIDE,outside) source static BWL-VI-TO-ABUJA BWL-VI-TO-ABUJA destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN
iOS
PHASE 1
ip route 0.0.0.0 0.0.0.0 91.x.x.2 (gateway)
crypto isakmp policy xx
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key xxx address 41.x.x.x
PHASE 2
ip access-list extended Abuja-to-VI
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel
crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer 41.x.x.x
set transform-set LAGOSSET
macth address Abuja-to-VI
int vlan1
crypto map ABJ2ILPJ
ip nat outside
ROUTES AND NONATS
ip route 172.16.120.0 255.255.248.0 91.x.x.2
ip access-list extended NONAT-VPN-TRAFFIC
deny ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
deny ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
permit ip any any
ip nat inside source list NONAT-VPN-TRAFFIC interface vlan1 overload
PLEASE HELP
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Solved! Go to Solution.
02-07-2018 12:20 AM
Hello Guys,
So I somewhat sorted it out someway;
1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.
2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map.
access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any
ip nat inside source list 110 interface Vlan1 overload
route-map nonat permit 10
Match ip address 110
The tunnel came up but i encountered another challenge. I may put that up on another post.
Thank you Deepak and everyone who assisted in some way. Deeply appreciate.
This forum is helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide