cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
44828
Views
0
Helpful
3
Replies
Highlighted
Beginner

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

Hi,

I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.

Any ideas?

Thanks Steve

https://supportforums.cisco.com/thread/255085

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10

5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping

4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!

3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!

3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED

6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx

6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

3 REPLIES 3
Highlighted
Cisco Employee

Rejecting IPSec tunnel: no matching crypto map entry for remote

Looks like the crypto ACL does not mirror image between this site and the other site.

On this ASA you have configured:

access-list outside_1_cryptomap extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0

The other site seems to have:

access-list extended permit ip 172.16.0.0 255.255.240.0 any

They would need to change their crypto acl to be as follows:

access-list extended permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0

Highlighted
Beginner

Rejecting IPSec tunnel: no matching crypto map entry for remote

I also need the 172.16.0.0/20 network to be able to reach both the internet and the 172.17.0.0/20 networks.  Won't that block the "external" traffic from the remote site?

Highlighted
Cisco Employee

Rejecting IPSec tunnel: no matching crypto map entry for remote

Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?

If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.

access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0

Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:

nat (outside) 1 172.16.0.0 255.255.240.0