Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
53562
Views
0
Helpful
3
Replies

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

Stephen Dahl
Level 1
Level 1

‎06-13-2012 05:41 PM - edited ‎02-21-2020 06:07 PM

Hi,

I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.

Any ideas?

Thanks Steve

https://supportforums.cisco.com/thread/255085

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10

5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping

4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!

3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!

3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED

6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx

6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Labels:
129755-ASAIkeDebug.txt.zip
129756-ASA5505Config.txt.zip
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-13-2012 11:30 PM

Looks like the crypto ACL does not mirror image between this site and the other site.

On this ASA you have configured:

access-list outside_1_cryptomap extended permit ip 172.17.0.0 255.255.240.0 172.16.0.0 255.255.240.0

The other site seems to have:

access-list extended permit ip 172.16.0.0 255.255.240.0 any

They would need to change their crypto acl to be as follows:

access-list extended permit ip 172.16.0.0 255.255.240.0 172.17.0.0 255.255.240.0

0 Helpful

Stephen Dahl
Level 1
Level 1
In response to Jennifer Halim

‎06-14-2012 10:26 AM

I also need the 172.16.0.0/20 network to be able to reach both the internet and the 172.17.0.0/20 networks.  Won't that block the "external" traffic from the remote site?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Stephen Dahl

‎06-14-2012 11:40 AM

Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?

If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.

access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0

Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:

nat (outside) 1 172.16.0.0 255.255.240.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents