Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4777
Views
0
Helpful
3
Replies

IPSEC- peer address not found

mohsen961
Level 1
Level 1

‎12-28-2004 04:01 AM - edited ‎02-21-2020 01:31 PM

Can anybody explain what does cisco means by the following comment on the error "peer address xxxx not found":

The error message below normally appears with the corresponding VPN 3000 Concentrator error message "Message: No proposal chosen(14)". This is a result of the connections being host-to-host. The router configuration had the IPSec proposals in an order such that the proposal chosen for the router matched the access list, but not the peer. The access list had a larger network that included the host that was intersecting traffic. To correct this, make the router proposal for this concentrator-to-router connection first in line, so that it matches the specific host first."

Thanks

Labels:
0 Helpful
3 Replies 3

umedryk
Level 5
Level 5

‎01-03-2005 09:48 AM

It means that you need to have the host in a more specific way in the ACL

0 Helpful

brianj
Level 1
Level 1

‎01-03-2005 04:39 PM

I agree that it does have to do with ACL's. I encountered this error message when I was recently configuring a 4 site hub and spoke topology using pix 501's. What I found was I had something similiar to this:

PIX A:

access-list 120 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 120 permit icmp any any

access-list 130 permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list 130 permit icmp any any

PIX B:

access-list 110 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 110 permit icmp any any

I was using the permit icmp any any to test the vpn remotely and this acl saw the icmp traffic as interesting therefore bringing up the tunnel.

The problem was that since I had the permit icmp any any more than once the pix didn't like like it. As soon as I removed those ACE's from the ACL's the errors went away.

I then learned (by some nice person on this forum) that IOS version 6.34 has a command "management-address inside" which allows you to ping the remote site using the "ping 10.0.2.1 inside" command to bring the tunnel up and test.

Don't know if any of that pertains to you but thought that I would share.

Brian

0 Helpful

aftermath
Level 1
Level 1
In response to brianj

‎01-04-2005 05:17 AM

Hi Brian,

Were you able to get this resolved?

This is simply an ACL mismatch.

Also, if you want, you can contact me at

tony_askew2003@yahoo.com

0 Helpful
Customers Also Viewed These Support Documents