Advertisement

[x]
Attachment Details

ASA 5510 - Cisco 2811 Site to Site VPN Error - Can't find valid tunnel group

[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.6
Zones: Virtual Private Networking (VPN), Miscellaneous Networking, Peer to Peer
Tags: , , , ,
Hi

I am having a Site to Site VPN error using the following devices
Device :  ASA 5510   on my site
Device : Cisco Router 2811   on remote site

Errors I got from  ASA 5510 my log file is

4|Jul 14 2007 11:50:28|713903: Group = xxx.xxx.xxx.xx, IP = xxx.xxx.xxx.xx, Error: Unable to remove PeerTblEntry
3|Jul 14 2007 11:50:28|713902: Group = xxx.xxx.xxx.xx, IP = xxx.xxx.xxx.xx, Removing peer from peer table failed, no match!
4|Jul 14 2007 11:50:28|713903: Group = xxx.xxx.xxx.xx, IP = xxx.xxx.xxx.xx, Can't find a valid tunnel group, aborting...!
4|Jul 14 2007 11:49:37|713903: IP = xxx.xxx.xxx.xx, Header invalid, missing SA payload! (next payload = 4)

were XXX is the IP address of the remote Router...

Tunnel status is down now

What would be the problem ,if you need more info please ask me ...

Thanks ...

Heres the RUNNING CONFIG of my ASA

asdm image disk0:/asdm506.bin
asdm location 172.16.100.65 255.255.255.255 DMZ
asdm location 10.200.0.65 255.255.255.255 LAN
no asdm history enable
: Saved
:
ASA Version 7.0(6)
!
hostname SultanASA
domain-name Something.com
enable password rWinqAaBq9LPAhmT encrypted
names
dns-guard
!
interface Ethernet0/0
 description Wan Connection ( to QualityNet )
 nameif WAN
 security-level 0
 ip address XXX.XXX.137.153 255.255.255.192
!
interface Ethernet0/1
 description DMZ of Sultan
 nameif DMZ
 security-level 90
 ip address 172.16.100.1 255.255.255.0
!
interface Ethernet0/2
 description Sultan LAN ( 10.0.0.0 )
 nameif LAN
 security-level 100
 ip address 10.200.0.3 255.255.0.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd rWinqAaBq9LPAhmT encrypted

clock timezone AST 3
dns domain-lookup LAN
dns name-server 10.200.0.31
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list DMZ_access_in extended permit icmp any any
access-list LAN_access_in extended permit icmp any any
access-list LAN_nat0_outbound extended permit ip any 10.203.0.0 255.255.255.240
access-list LAN_nat0_outbound extended permit ip 10.200.0.0 255.255.0.0 host xx.xx.xx.xx
access-list Users_splitTunnelAcl standard permit any
access-list DMZ_nat0_outbound extended permit ip any 10.203.0.0 255.255.255.224
access-list WAN_access_in extended permit tcp any host 172.16.100.65
access-list WAN_cryptomap_20 extended permit ip 10.200.0.0 255.255.0.0 host xx.xx.xx.xx
access-list DMZ_pnat_outbound extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu DMZ 1500
mtu LAN 1500
mtu management 1500
ip local pool SultanVpnUsers 10.203.0.100-10.203.0.110 mask 255.255.255.0
ip local pool SultanVPNadmins 10.203.0.1-10.203.0.10 mask 255.255.255.0
ip local pool Tsc 10.203.0.15-10.203.0.20 mask 255.255.0.0
icmp permit 10.200.0.0 255.255.0.0 LAN
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (WAN) 200 interface
global (DMZ) 200 XXX.XXX.137.154-XXX.XXX.137.155
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 200 access-list DMZ_pnat_outbound
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 200 10.200.0.0 255.255.0.0
static (DMZ,DMZ) XXX.XXX.137.156 172.16.100.65 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group DMZ_access_in in interface DMZ
access-group LAN_access_in in interface LAN
route WAN 0.0.0.0 0.0.0.0 XXX.XXX.137.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Admins internal
group-policy Admins attributes
 vpn-tunnel-protocol IPSec
 webvpn
group-policy Users internal
group-policy Users attributes
 dns-server value 10.200.0.31
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Users_splitTunnelAcl
 default-domain value Something.com
 webvpn
group-policy TSC internal
group-policy TSC attributes
 dns-server value 10.200.0.31
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 webvpn
username michael password iK0Q464llOU2axLg encrypted privilege 0
username michael attributes
 vpn-group-policy Users
 webvpn
username manu password BbmHBpDW.1GXswrS encrypted privilege 15
username manu attributes
 vpn-group-policy Admins
 vpn-tunnel-protocol IPSec
 password-storage enable
 group-lock value Admins
 webvpn
http server enable
http 10.200.0.0 255.255.0.0 LAN
http 192.168.1.0 255.255.255.0 management
http redirect WAN 80
http redirect DMZ 80
http redirect LAN 80
http redirect management 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-DES-MD5
crypto map WAN_map 20 match address WAN_cryptomap_20
crypto map WAN_map 20 set peer xx.xx.xx.xx
crypto map WAN_map 20 set transform-set ESP-DES-MD5
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
isakmp enable WAN
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Admins type ipsec-ra
tunnel-group Admins general-attributes
 address-pool SultanVPNadmins
 default-group-policy Admins
 strip-realm
 strip-group
tunnel-group Admins ipsec-attributes
 pre-shared-key *
 radius-with-expiry
tunnel-group Users type ipsec-ra
tunnel-group Users general-attributes
 address-pool SultanVpnUsers
 default-group-policy Users
tunnel-group Users ipsec-attributes
 pre-shared-key *
tunnel-group TSC type ipsec-ra
tunnel-group TSC general-attributes
 address-pool Tsc
 default-group-policy TSC
tunnel-group TSC ipsec-attributes
 pre-shared-key *
tunnel-group "Tunnel to Oman_xx.xx.xx.xx" type ipsec-l2l
tunnel-group "Tunnel to Oman_xx.xx.xx.xx" ipsec-attributes
 pre-shared-key *
telnet 172.16.100.0 255.255.255.0 DMZ
telnet 10.200.1.0 255.255.255.255 LAN
telnet 10.200.0.0 255.255.0.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:478788dd95d6d29f3d60e9b1ff651f14
: end

Thanks a lot ....
Related Solutions
Related Solutions
# Title
1 IPSec VPN
2 Cisco IPSec VPN crashing when chan…
3 VPN SPLIT TUNNELING CONFIGURATIO…
4 Cisco VPN Tunnel drops when no traffi…
5 VPN - PIX 506 to Linksys WRVS4…
6 Cisco 871W and RA VPN problems
 
Loading Advertisement...
 

Rank: Genius

Accepted Solution by lrmoore:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Author Comment by manu4u:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
Loading Advertisement...
20080924-EE-VQP-41