Solved

Rejecting IPSec tunnel

Posted on 2008-06-17
2
7,274 Views
Last Modified: 2011-10-19
Hi All,

Iam setting up a VPN site to Site with a Fortigate router, It shows the Phase 1 is completed and the second phase is not able to complete. The error log shows errors that not matching the crypto map entry. Please find the errors as follows,
AAA retrieved default group policy (DfltGrpPolicy) for user = 217.112.144.84

Group = 217.112.144.84, IP = 217.112.144.84, Freeing previously allocated memory for authorization-dn-attributes

IP = 217.112.144.84, Received encrypted packet with no matching SA, dropping

Group = 217.112.144.84, Username = 217.112.144.84, IP = 217.112.144.84, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Group = 217.112.144.84, IP = 217.112.144.84, Removing peer from correlator table failed, no match!

Group = 217.112.144.84, IP = 217.112.144.84, QM FSM error (P2 struct &0x395e020, mess id 0x7ed53fbb)!

Group = 217.112.144.84, IP = 217.112.144.84, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 217.112.144.84/255.255.255.255/0/0 local proxy 192.168.25.0/255.255.255.0/0/0 on interface outside

Group = 217.112.144.84, IP = 217.112.144.84, PHASE 1 COMPLETED

The configs of ASA is also attached.

Thanks in advance,

Regards..
ezetop-configs.txt
0
Comment
Question by:aime14
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
mabutterfield earned 500 total points
ID: 21803464
It looks like your encryption domains don't match.  The fortigate is trying to setup VPN for 192.168.25.0/24 on your end.  

You should adjust your cryptomap ACL.  


access-list outside_1_cryptomap extended permit ip host 213.255.196.50 host 217.112.144.84

should be

access-list outside_1_cryptomap extended permit ip 192.168.25.0 255.255.255.0 host 217.112.144.84
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question