05-31-2017 11:55 AM
I have two sites with a ASA5505 at one end and a 5525X at the other end. We recently migrated our IP Address space to a new /24. After doing this I cannot get the site to site VPN tunnel up. I get the following output from debug crypto isakmp:
Removing peer from peer table failed, no match!
Error: Unable to remove PeerTblEntry
As far as I can tell I have it setup correctly. I have the same Networks listed on either side, I have the same encryption selected and DH group (As far as I can tell), the same shared secret.
I tried to delete the config and use the Site-to-Site VPN wizard but I got a message that I cannot remove the entry because its still used by the Group Policy, which I am unable to de-select the connection profile in.
Any ideas here? It should be pretty straightforward but I simply cannot get it to work. I do have various people (including myself) using the VPN client and that works without an issue, but I am hitting a road block with Site-to-Site.
Solved! Go to Solution.
06-01-2017 04:41 PM
First, change your IKE/Isakmp policies, you are using incorrect and mismatched proposal on both sides.
Configure this:
5505
crypto isakmp policy 20 authentication pre-shared encryption aes hash sha group 2 lifetime 86400
ASA5525
crypto ikev1 policy 20 authentication pre-shared encryption aes hash sha group 2 lifetime 86400
Refer to the following document, this scenario is an exact match with what you are trying to do:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc13
05-31-2017 02:47 PM
Is that the only message you get with the debug? Can you run the debug at level 127 - "debug crypto isakmp 127" and paste the output? Also, attach a sanitized version of your configs so that someone can take a look.
06-01-2017 09:29 AM
First, I want to say I opened a ticket with TAC as well, they looked over it and said the configs look good and it should work (But maybe something was overlooked), but they think that something is "stuck" where the old IP Address for the local peer is still in use on the remote peer. Tried rebooting the remote firewall. They suggested that we have to update the IOS and they cannot do anything further. But since it worked for several years with the currently installed IOS's, I should be able to get this back up.
This is the output from debug. Attached are sanitized configs.
Local:
IPSEC(crypto_map_check)-3: Checking crypto map MetroFW-External_map 1: matched.
uIPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.14, sport=17510, daddr=192.168.18.200, dport=17510
IPSEC(crypto_map_check)-3: Checking crypto map MetroFW-External_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.14, sport=17510, daddr=192.168.18.200, dport=17510
IPSEC(crypto_map_check)-3: Checking crypto map MetroFW-External_map 1: matched.
Jun 01 08:40:21 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 01 08:40:21 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 08:40:23 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 01 08:40:23 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 08:40:25 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 01 08:40:25 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Remote:
Jun 01 00:38:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 01 00:38:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 00:38:53 [IKEv1]: Removing peer from peer table failed, no match!
Jun 01 00:38:53 [IKEv1]: Error: Unable to remove PeerTblEntry
Jun 01 00:38:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 01 00:38:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Jun 01 00:38:53 [IKEv1]: Removing peer from peer table failed, no match!
Jun 01 00:38:53 [IKEv1]: Error: Unable to remove PeerTblEntry
06-01-2017 04:41 PM
First, change your IKE/Isakmp policies, you are using incorrect and mismatched proposal on both sides.
Configure this:
5505
crypto isakmp policy 20 authentication pre-shared encryption aes hash sha group 2 lifetime 86400
ASA5525
crypto ikev1 policy 20 authentication pre-shared encryption aes hash sha group 2 lifetime 86400
Refer to the following document, this scenario is an exact match with what you are trying to do:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc13
06-01-2017 10:17 PM
That got us up and running! I changed Encryption and Hash based on something I read about the license and IOS I have on the 5505 possibly not supporting sha, and I must have changed the authentication along the way some where.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide