IKE Initiator

Posted on 2009-12-29
Last Modified: 2012-05-08
A site2site VPN has recently started giving me trouble. At the Remote site that is giving me problems I have an ASA5505. The main location has an ASA5510.

The remote site is unable to connect to the VPN or the internet, but at the main site there are messages showing up about the remote location.

Here are the errors I am getting (I will only block the external IP's:

03:02:25      713041                   IP = (REMOTE SITE IP), IKE Initiator: New Phase 1, Intf inside, IKE Peer (REMOTE SITE IP)  local Proxy Address, remote Proxy Address,  Crypto map (outside_map)

03:02:25      713219                   IP =  (REMOTE SITE IP), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

03:03:30      713902                   IP = (REMOTE SITE IP), Removing peer from peer table failed, no match!

03:03:30      713903                   IP = (REMOTE SITE IP), Error: Unable to remove PeerTblEntry

Below I will post the configuration of the remote site's ASA
: Saved


ASA Version 7.2(4) 


hostname ***********

domain-name default.domain.invalid

enable password cG6huoT7zkzEam1d encrypted

passwd ********** encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address pppoe setroute 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip host 

access-list inside_nat0_outbound extended permit ip host 

access-list inside_nat0_outbound extended permit ip host 

access-list inside_nat0_outbound extended permit ip 

access-list camhh extended permit ip any 

access-list remotesupp_splitTunnelAcl standard permit 

access-list in-out extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool remotesupp_ippool mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group in-out in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication telnet console LOCAL 

aaa authentication http console LOCAL 

aaa authentication ssh console LOCAL 

http server enable

http inside

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer ****MAIN SITE IP**** 

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet inside

telnet inside

telnet inside

telnet timeout 5

ssh outside

ssh timeout 5

console timeout 0

management-access inside

vpdn group homehealth request dialout pppoe

vpdn group homehealth localname ***************

vpdn group homehealth ppp authentication pap

vpdn username ************** password ********* 

dhcpd auto_config outside


dhcpd address inside

dhcpd dns ********** interface inside

dhcpd enable inside


group-policy remotesupp internal

group-policy remotesupp attributes

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remotesupp_splitTunnelAcl

username cisco password ************** encrypted

username ******* password *************** encrypted privilege 15

tunnel-group ****MAIN SITE IP**** type ipsec-l2l

tunnel-group ****MAIN SITE IP**** ipsec-attributes

 pre-shared-key *

tunnel-group remotesupp type ipsec-ra

tunnel-group remotesupp general-attributes

 address-pool remotesupp_ippool

 default-group-policy remotesupp

tunnel-group remotesupp ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

Question by:pchmark
    LVL 33

    Expert Comment

    The errors you see are probably to local site trying to access the remote and finding no remote device.  

    Obviously, if the remote ASA can't get to the internet, then of course, there will be no VPN.   So lets start with the internet issue.  

    When did it begin, any changes to ASA, routing external, ISP , etc?     Can the Remote ASA's outside interface ping the gateway, can it ping beyond the Gateway to anything i.e.  

    Since it is PPPOE, a good test of the internet connection is to put a laptop connected to the PPPOE modem/router and try connecting to the ISP using the Windows PPPOE client.   I would check that before anything else.
    LVL 7

    Expert Comment

    It is correct, please check the internet connection first...

    1. Can you ping the remote peer? Or
    Or try to ping your default gateway...
    2. if you try to trigger the tunnel from the remote side, what do you see if you do
    "show crypto isakmp sa"
    3. Are you able to do an ike scan to your public IP?
    Do you see something?
    Example: ike-scan PUBLIC_IP_REMOTE

    Can you please attach the output of the "show arp" command.

    Author Comment

    Nothing has changed on the ASA for over 1 year. this has happened for about 3 months now. I went to the site and checked a few things on it. the internet does work from the modem. I believe I know what a possible solution is to this. They have DSL. I checked the phone system and there is no filter on it so this could be the cause of the internet/vpn dropping.
    LVL 33

    Accepted Solution

    Very possible.   Without the Filters on the lines, telephone signals can interfere with the DSL service...  

    LVL 33

    Expert Comment

    I'm checking back on my older, open items...   was there anything else we could answer for you in relation to this post?

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now