?
Solved

Rejecting IPSec tunnel

Posted on 2008-06-17
2
Medium Priority
?
7,650 Views
Last Modified: 2011-10-19
Hi All,

Iam setting up a VPN site to Site with a Fortigate router, It shows the Phase 1 is completed and the second phase is not able to complete. The error log shows errors that not matching the crypto map entry. Please find the errors as follows,
AAA retrieved default group policy (DfltGrpPolicy) for user = 217.112.144.84

Group = 217.112.144.84, IP = 217.112.144.84, Freeing previously allocated memory for authorization-dn-attributes

IP = 217.112.144.84, Received encrypted packet with no matching SA, dropping

Group = 217.112.144.84, Username = 217.112.144.84, IP = 217.112.144.84, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Group = 217.112.144.84, IP = 217.112.144.84, Removing peer from correlator table failed, no match!

Group = 217.112.144.84, IP = 217.112.144.84, QM FSM error (P2 struct &0x395e020, mess id 0x7ed53fbb)!

Group = 217.112.144.84, IP = 217.112.144.84, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 217.112.144.84/255.255.255.255/0/0 local proxy 192.168.25.0/255.255.255.0/0/0 on interface outside

Group = 217.112.144.84, IP = 217.112.144.84, PHASE 1 COMPLETED

The configs of ASA is also attached.

Thanks in advance,

Regards..
ezetop-configs.txt
0
Comment
Question by:aime14
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
mabutterfield earned 2000 total points
ID: 21803464
It looks like your encryption domains don't match.  The fortigate is trying to setup VPN for 192.168.25.0/24 on your end.  

You should adjust your cryptomap ACL.  


access-list outside_1_cryptomap extended permit ip host 213.255.196.50 host 217.112.144.84

should be

access-list outside_1_cryptomap extended permit ip 192.168.25.0 255.255.255.0 host 217.112.144.84
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question