• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1351
  • Last Modified:

IKE Initiator

A site2site VPN has recently started giving me trouble. At the Remote site that is giving me problems I have an ASA5505. The main location has an ASA5510.

The remote site is unable to connect to the VPN or the internet, but at the main site there are messages showing up about the remote location.

Here are the errors I am getting (I will only block the external IP's:

03:02:25      713041                   IP = (REMOTE SITE IP), IKE Initiator: New Phase 1, Intf inside, IKE Peer (REMOTE SITE IP)  local Proxy Address, remote Proxy Address,  Crypto map (outside_map)

03:02:25      713219                   IP =  (REMOTE SITE IP), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

03:03:30      713902                   IP = (REMOTE SITE IP), Removing peer from peer table failed, no match!

03:03:30      713903                   IP = (REMOTE SITE IP), Error: Unable to remove PeerTblEntry

Below I will post the configuration of the remote site's ASA
: Saved
ASA Version 7.2(4) 
hostname ***********
domain-name default.domain.invalid
enable password cG6huoT7zkzEam1d encrypted
passwd ********** encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address pppoe setroute 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 
access-list inside_nat0_outbound extended permit ip host 
access-list inside_nat0_outbound extended permit ip host 
access-list inside_nat0_outbound extended permit ip 
access-list camhh extended permit ip any 
access-list remotesupp_splitTunnelAcl standard permit 
access-list in-out extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remotesupp_ippool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
access-group in-out in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http inside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer ****MAIN SITE IP**** 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group homehealth request dialout pppoe
vpdn group homehealth localname ***************
vpdn group homehealth ppp authentication pap
vpdn username ************** password ********* 
dhcpd auto_config outside
dhcpd address inside
dhcpd dns ********** interface inside
dhcpd enable inside

group-policy remotesupp internal
group-policy remotesupp attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remotesupp_splitTunnelAcl
username cisco password ************** encrypted
username ******* password *************** encrypted privilege 15
tunnel-group ****MAIN SITE IP**** type ipsec-l2l
tunnel-group ****MAIN SITE IP**** ipsec-attributes
 pre-shared-key *
tunnel-group remotesupp type ipsec-ra
tunnel-group remotesupp general-attributes
 address-pool remotesupp_ippool
 default-group-policy remotesupp
tunnel-group remotesupp ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

  • 3
1 Solution
The errors you see are probably to local site trying to access the remote and finding no remote device.  

Obviously, if the remote ASA can't get to the internet, then of course, there will be no VPN.   So lets start with the internet issue.  

When did it begin, any changes to ASA, routing external, ISP , etc?     Can the Remote ASA's outside interface ping the gateway, can it ping beyond the Gateway to anything i.e.  

Since it is PPPOE, a good test of the internet connection is to put a laptop connected to the PPPOE modem/router and try connecting to the ISP using the Windows PPPOE client.   I would check that before anything else.
It is correct, please check the internet connection first...

1. Can you ping the remote peer? Or
Or try to ping your default gateway...
2. if you try to trigger the tunnel from the remote side, what do you see if you do
"show crypto isakmp sa"
3. Are you able to do an ike scan to your public IP?
Do you see something?
Example: ike-scan PUBLIC_IP_REMOTE

Can you please attach the output of the "show arp" command.
pchmarkAuthor Commented:
Nothing has changed on the ASA for over 1 year. this has happened for about 3 months now. I went to the site and checked a few things on it. the internet does work from the modem. I believe I know what a possible solution is to this. They have DSL. I checked the phone system and there is no filter on it so this could be the cause of the internet/vpn dropping.
Very possible.   Without the Filters on the lines, telephone signals can interfere with the DSL service...  

I'm checking back on my older, open items...   was there anything else we could answer for you in relation to this post?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now