[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1475
  • Last Modified:

Cannot get ASA 5505 to connect site to site VPN

I cannot get this ASA 5505 to connect to a remote ASA 5505 via VPN. Other locations can connect to the remote ASA except this one. This ASA is behind another PIX so I am using the nat-traversal command but it still will not connect. Using syslog, I receive the following errors:

IP: x.x.x.x Error: Unable to remove perr Tbl entry
IP: x.x.x.x Removing peer from peer table failed, no match

When I run sh cry ip sa it states there are none. The VPN light on the ASA is not lit.

Below is the config:

ASA Version 7.2(4) 
hostname ciscoasa
domain-name xxxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.x.x.x 
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.x.x 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxxxxx
access-list outside_1_cryptomap extended permit ip host 10.x.x.x host 10.x.x.x
access-list inside_nat0_outbound extended permit ip host 10.x.x.x host 10.x.x.x 
access-list inside_nat0_outbound extended permit 10.x.x.x 10.x.x.x 
access-list outside_1_cryptomap_1 extended permit ip 10.x.x.x 10.x.x.x 
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
route outside x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.x.x.x inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *
prompt hostname context 
: end

Open in new window

  • 4
1 Solution
I can't see any obvious mistakes in your local ASA config, so you might want to make sure that:

- the PIX in front of of the local ASA is configured to pass and NAT udp/500 _and_ udp/4500 packets from your local ASA
- the head-end ASA also is configured for NAT-traversal

Otherwise you will have to further investigate what is happening with the tunnel packet.

Good luck!
valiconAuthor Commented:
nat-traversal has been enabled on the head end and this is the only device that will not connect to the head end....
If you could post the config of the other end it might be easier to pinpoint the error.
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

valiconAuthor Commented:
I cannot get that
valiconAuthor Commented:
It seems that I am now able to complete Phase I of IKE but not Phase II. I am getting a Removing peer from correlator table, match failed error....
valiconAuthor Commented:
I solved this myself. It was a problem with the access list and subnet mask of the interface.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now