[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1475
  • Last Modified:

Cannot get ASA 5505 to connect site to site VPN

I cannot get this ASA 5505 to connect to a remote ASA 5505 via VPN. Other locations can connect to the remote ASA except this one. This ASA is behind another PIX so I am using the nat-traversal command but it still will not connect. Using syslog, I receive the following errors:

IP: x.x.x.x Error: Unable to remove perr Tbl entry
IP: x.x.x.x Removing peer from peer table failed, no match

When I run sh cry ip sa it states there are none. The VPN light on the ASA is not lit.

Below is the config:



ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name xxxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.x.x.x 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.x.x 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxxxxx
access-list outside_1_cryptomap extended permit ip host 10.x.x.x host 10.x.x.x
access-list inside_nat0_outbound extended permit ip host 10.x.x.x host 10.x.x.x 
access-list inside_nat0_outbound extended permit 10.x.x.x 255.255.255.0 10.x.x.x 255.255.255.0 
access-list outside_1_cryptomap_1 extended permit ip 10.x.x.x 255.255.255.0 10.x.x.x 255.255.255.0 
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.x.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:ae792d26eeb2e2779cbecd3072dabd7e
: end

Open in new window

0
valicon
Asked:
valicon
  • 4
1 Solution
 
elchyCommented:
I can't see any obvious mistakes in your local ASA config, so you might want to make sure that:

- the PIX in front of of the local ASA is configured to pass and NAT udp/500 _and_ udp/4500 packets from your local ASA
- the head-end ASA also is configured for NAT-traversal

Otherwise you will have to further investigate what is happening with the tunnel packet.

Good luck!
0
 
valiconAuthor Commented:
nat-traversal has been enabled on the head end and this is the only device that will not connect to the head end....
0
 
DonbooCommented:
If you could post the config of the other end it might be easier to pinpoint the error.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
valiconAuthor Commented:
I cannot get that
0
 
valiconAuthor Commented:
It seems that I am now able to complete Phase I of IKE but not Phase II. I am getting a Removing peer from correlator table, match failed error....
0
 
valiconAuthor Commented:
I solved this myself. It was a problem with the access list and subnet mask of the interface.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now