Solved: Re: ERROR: VPN NOT WORKING YET ACTIVE (Removing peer from correlator table failed, no match) - Page 2

Jesutofunmi O · ‎01-30-2018

Hey Techies,

I am trying to set up an L2L VPN between a Cisco iOS rtr and ASA firewall. I can't seem to figure out what's wrong. Here's config below;

Here is the error message:

Removing peer from correlator table failed, no match!

QM FSM error (P2 struct &0x00007fff2b819090, mess id 0xfda7a478)!

And config on both routers

ASA CONFIG

Removing peer from correlator table failed, no match!

object-group network BWL-VI-TO-ABUJA
network-object object BWL-VI2
network-object object BWL-VI3

PHASE 1
crypto ikev1 policy 20
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 86400

crypto isakmp enable outside

tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key xxxx

object network Abuja
subnet 172.16.130.0 255.255.255.128

PHASE 2

Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128

crypto ipsec transform-set VI-TO-ABUJA esp-aes esp-sha-hmac
crypto map outside-map 3 set peer 81.x.x.x
crypto map outside-map 3 match address VI-to-Abuja
crypto map outside-map 3 set transform-set VI-TO-ABUJA
crypto map outside-map interface outside

nat (INSIDE,outside) source static BWL-VI-TO-ABUJA BWL-VI-TO-ABUJA destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

iOS

PHASE 1

ip route 0.0.0.0 0.0.0.0 91.x.x.2 (gateway)

crypto isakmp policy xx
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key xxx address 41.x.x.x

PHASE 2
ip access-list extended Abuja-to-VI
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255

crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel

crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer 41.x.x.x
set transform-set LAGOSSET
macth address Abuja-to-VI

int vlan1
crypto map ABJ2ILPJ
ip nat outside

ROUTES AND NONATS

ip route 172.16.120.0 255.255.248.0 91.x.x.2

ip access-list extended NONAT-VPN-TRAFFIC
deny ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
deny ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
permit ip any any
ip nat inside source list NONAT-VPN-TRAFFIC interface vlan1 overload

PLEASE HELP

sh crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Jesutofunmi O · ‎02-07-2018

Hello Guys,

So I somewhat sorted it out someway;

1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.

2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map.

access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any

ip nat inside source list 110 interface Vlan1 overload

route-map nonat permit 10
Match ip address 110

The tunnel came up but i encountered another challenge. I may put that up on another post.

Thank you Deepak and everyone who assisted in some way. Deeply appreciate.

This forum is helpful.