Cannot get ASA 5505 to connect site to site VPN

Posted on 2009-04-16
Last Modified: 2012-05-06
I cannot get this ASA 5505 to connect to a remote ASA 5505 via VPN. Other locations can connect to the remote ASA except this one. This ASA is behind another PIX so I am using the nat-traversal command but it still will not connect. Using syslog, I receive the following errors:

IP: x.x.x.x Error: Unable to remove perr Tbl entry
IP: x.x.x.x Removing peer from peer table failed, no match

When I run sh cry ip sa it states there are none. The VPN light on the ASA is not lit.

Below is the config:

ASA Version 7.2(4) 


hostname ciscoasa

domain-name xxxxxxx

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 10.x.x.x 


interface Vlan2

 nameif outside

 security-level 0

 ip address 192.168.x.x 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns server-group DefaultDNS

 domain-name xxxxxxxxxx

access-list outside_1_cryptomap extended permit ip host 10.x.x.x host 10.x.x.x

access-list inside_nat0_outbound extended permit ip host 10.x.x.x host 10.x.x.x 

access-list inside_nat0_outbound extended permit 10.x.x.x 10.x.x.x 

access-list outside_1_cryptomap_1 extended permit ip 10.x.x.x 10.x.x.x 

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

no failover

monitor-interface inside

monitor-interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

route outside x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.x.x.x inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer x.x.x.x 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

 pre-shared-key *



prompt hostname context 


: end

Open in new window

Question by:valicon
    LVL 1

    Expert Comment

    I can't see any obvious mistakes in your local ASA config, so you might want to make sure that:

    - the PIX in front of of the local ASA is configured to pass and NAT udp/500 _and_ udp/4500 packets from your local ASA
    - the head-end ASA also is configured for NAT-traversal

    Otherwise you will have to further investigate what is happening with the tunnel packet.

    Good luck!
    LVL 12

    Author Comment

    nat-traversal has been enabled on the head end and this is the only device that will not connect to the head end....
    LVL 9

    Expert Comment

    If you could post the config of the other end it might be easier to pinpoint the error.
    LVL 12

    Author Comment

    I cannot get that
    LVL 12

    Author Comment

    It seems that I am now able to complete Phase I of IKE but not Phase II. I am getting a Removing peer from correlator table, match failed error....
    LVL 12

    Accepted Solution

    I solved this myself. It was a problem with the access list and subnet mask of the interface.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now