Solved: That got us up and running! I

etieseler · ‎05-31-2017

I have two sites with a ASA5505 at one end and a 5525X at the other end. We recently migrated our IP Address space to a new /24. After doing this I cannot get the site to site VPN tunnel up. I get the following output from debug crypto isakmp:

Removing peer from peer table failed, no match!

Error: Unable to remove PeerTblEntry

As far as I can tell I have it setup correctly. I have the same Networks listed on either side, I have the same encryption selected and DH group (As far as I can tell), the same shared secret.

I tried to delete the config and use the Site-to-Site VPN wizard but I got a message that I cannot remove the entry because its still used by the Group Policy, which I am unable to de-select the connection profile in.

Any ideas here? It should be pretty straightforward but I simply cannot get it to work. I do have various people (including myself) using the VPN client and that works without an issue, but I am hitting a road block with Site-to-Site.

Rahul Govindan · ‎06-01-2017

First, change your IKE/Isakmp policies, you are using incorrect and mismatched proposal on both sides.

Configure this:

5505

crypto isakmp policy 20
 authentication pre-shared
 encryption aes
 hash sha
 group 2
 lifetime 86400

ASA5525

crypto ikev1 policy 20
 authentication pre-shared
 encryption aes
 hash sha
 group 2
 lifetime 86400

Refer to the following document, this scenario is an exact match with what you are trying to do:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc13

View solution in original post

Rahul Govindan · ‎05-31-2017

Is that the only message you get with the debug? Can you run the debug at level 127 - "debug crypto isakmp 127" and paste the output? Also, attach a sanitized version of your configs so that someone can take a look.

etieseler · ‎06-01-2017

First, I want to say I opened a ticket with TAC as well, they looked over it and said the configs look good and it should work (But maybe something was overlooked), but they think that something is "stuck" where the old IP Address for the local peer is still in use on the remote peer. Tried rebooting the remote firewall. They suggested that we have to update the IOS and they cannot do anything further. But since it worked for several years with the currently installed IOS's, I should be able to get this back up.

This is the output from debug. Attached are sanitized configs.

Local:

IPSEC(crypto_map_check)-3: Checking crypto map MetroFW-External_map 1: matched.
uIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.14, sport=17510, daddr=192.168.18.200, dport=17510
IPSEC(crypto_map_check)-3: Checking crypto map MetroFW-External_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.14, sport=17510, daddr=192.168.18.200, dport=17510
IPSEC(crypto_map_check)-3: Checking crypto map MetroFW-External_map 1: matched.

Jun 01 08:40:21 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 01 08:40:21 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 08:40:23 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 01 08:40:23 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 08:40:25 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 01 08:40:25 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!

Remote:

Jun 01 00:38:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 01 00:38:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 00:38:53 [IKEv1]: Removing peer from peer table failed, no match!
Jun 01 00:38:53 [IKEv1]: Error: Unable to remove PeerTblEntry
Jun 01 00:38:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 01 00:38:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 00:38:53 [IKEv1]: Removing peer from peer table failed, no match!
Jun 01 00:38:53 [IKEv1]: Error: Unable to remove PeerTblEntry

Rahul Govindan · ‎06-01-2017

First, change your IKE/Isakmp policies, you are using incorrect and mismatched proposal on both sides.

Configure this:

5505

crypto isakmp policy 20
 authentication pre-shared
 encryption aes
 hash sha
 group 2
 lifetime 86400

ASA5525

crypto ikev1 policy 20
 authentication pre-shared
 encryption aes
 hash sha
 group 2
 lifetime 86400

Refer to the following document, this scenario is an exact match with what you are trying to do:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc13

etieseler · ‎06-01-2017

That got us up and running! I changed Encryption and Hash based on something I read about the license and IOS I have on the 5505 possibly not supporting sha, and I must have changed the authentication along the way some where.

Thanks!

Site to Site VPN not working