Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14635
Views
0
Helpful
2
Replies

Removing peer from peer table failed, no match! Error: Unable to remove PeerTblEntry

venkat.247cs
Level 1
Level 1

‎12-24-2010 08:21 AM

Hi,

I am getting this error while establishing an VPN tunnel between two sites. One site has Nortel and the other side has ASA.
We are using this tunnel settings.

We tried deleting and creating a new tunnel, but still no luck. Could anyone tell us what could be wrong ?

The error is :

Dec 24 21:24:40 [IKEv1]: IP = , Removing peer from peer table failed, no match!
Dec 24 21:24:40 [IKEv1]: IP = , Error: Unable to remove PeerTblEntry
Dec 24 21:25:15 [IKEv1]: IP = , Removing peer from peer table failed, no match!
Dec 24 21:25:15 [IKEv1]: IP = , Error: Unable to remove PeerTblEntry

Thanks,
Venkat

Phase 1

Authentication Method

Encryption Scheme

IKE

IKE

Diffie-Hellman Group

Group 2

Group 2

Encryption Algorithm

3DES

3DES

Hashing Algorithm

SHA-1

SHA-1

Main or Aggressive Mode

Main Mode

Main mode

Lifetime   (for renegotiation)

28800 Seconds

28800 seconds

Phase 2

Encapsulation   (ESP or AH)

ESP

ESP

Encryption Algorithm

3DES

3DES

Authentication Algorithm

SHA-1

SHA-1

Perfect Forward Secrecy

NO PFS

NO PFS

Lifetime (for renegotiation)

3600 Seconds

3600 seconds

Lifesize in KB (for renegotiation)

-NA

Not used

Key Exchange For Subnets?

Yes

Yes

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-24-2010 09:14 AM

Hi,

For some reason some parameter is not matching between the two sites for the tunnel negotiation.

When trying to initiate the tunnel, check if both phase 1 and phase 2 establishes with the command:

sh cry isa sa

sh cry ips sa

Also, please post the output of

debug cry isa 127

debug cry ips 127

Federico.

0 Helpful

venkat.247cs
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-26-2010 09:05 PM

Hi Federico,

I crosscheck the both end configuration its seems ok when i try the debug isakmp packet as you said the following error is occured

UPS-ASA5510-FIREWALL# debug cry isa 127
UPS-ASA5510-FIREWALL# Dec 27 10:09:26 [IKEv1 DEBUG]: IP = x.x.x.x, IKE MM Initiator FSM error history (struct &0x4d27a90)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1,EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Dec 27 10:09:26 [IKEv1 DEBUG]: IP = x.x.x.x, IKE SA MM:2c9be8d3 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Dec 27 10:09:26 [IKEv1 DEBUG]: IP = x.x.x.x, sending delete/delete with reason message
Dec 27 10:09:26 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
Dec 27 10:09:26 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Dec 27 10:09:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:26 [IKEv1]: IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer x.x.x.x  local Proxy Address 192.168.1.207, remote Proxy Address 172.17.4.100,  Crypto map (outside_map)
Dec 27 10:09:26 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Dec 27 10:09:26 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Dec 27 10:09:26 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 216
Dec 27 10:09:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:29 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:31 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:34 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:34 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 216
Dec 27 10:09:36 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:39 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:41 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:42 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 216
Dec 27 10:09:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:44 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:49 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:50 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 216
Dec 27 10:09:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:51 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 27 10:09:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 27 10:09:54 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

kindly check and revert back

Thank U  in advance

0 Helpful
Customers Also Viewed These Support Documents