Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
5
Helpful
4
Replies

Modifying Existing VPN on ASA version 7.1

Go to solution
michael ezenogha
Level 1
Level 1

‎07-11-2013 07:25 AM

Hello All,

I have two issues to resolve

  1. I added 5 new network ranges to an existing B2B tunnel. Three (3) of the new network ranges are able to establish sessions over the tunnel but two (2) are unable. I did a tracert from computer and the trace terminates within the ASA. There are no logs showing up on the ASA to suggest traffic is reaching the ASA. I cloned the existing NAT and ACL and Static rules but with no success.
  2. 3Jul 11 201315:22:42713902



    		Group = 82.199.93.3, IP = 82.199.93.3, QM FSM error (P2 struct &0xb07054c0, mess id 0x5eafb9bb)!
    3Jul 11 201315:22:42713902



    		Group = 82.199.93.3, IP = 82.199.93.3, Removing peer from correlator table failed, no match!
    4Jul 11 201315:22:42752012



    		IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 1.
    3Jul 11 201315:22:42752015



    		Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 1.


Thankx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-11-2013 07:46 AM

The error message "Removing peer from correlator table failed, no match!" most often indicates tht the distant end does not have the mirror image configuration to allow the traffic across the VPN and thus some of the IKE SAs are not being formed.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-11-2013 07:46 AM

The error message "Removing peer from correlator table failed, no match!" most often indicates tht the distant end does not have the mirror image configuration to allow the traffic across the VPN and thus some of the IKE SAs are not being formed.

0 Helpful

Go to solution
michael ezenogha
Level 1
Level 1
In response to Marvin Rhoads

‎07-11-2013 08:03 AM

Hello Marvin,

The remote peer is using a Ciso Router and I asked the engineer to send me the config after sending him screenshot of the config on the ASA.

The engineer refused as they have other tunnels and the only confirmation of a mirror config is based on what he says.

As such I cannot verify if  this is related to why the other two network ranges are no being encrypted as they cross the ASA.

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to michael ezenogha

‎07-11-2013 08:13 AM

If you turn on debugging your log output should show you more precisely where the failure is. You can filter on the remote peer first to narrow down the volume of output.

debug crypto condition peer

debug crypto ipsec 7

debug crypto isakmp 7

Go to solution
michael ezenogha
Level 1
Level 1
In response to Marvin Rhoads

‎07-11-2013 08:51 AM

Hello Marvin,

Thanks for the info supplied

will do so asap

Regards

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents