troubleshooting Question

Cisco 5505 Configuration - KEv1 was unsuccessful at setting up a tunnel

Avatar of Tim OBrien
Tim OBrien asked on
RoutersVPNHardware FirewallsInternet Protocol SecurityCisco
11 Comments2 Solutions13411 ViewsLast Modified:
I am a new Employee at a company and was asked to configure a CISCO ASA 5505 , first time doing this and was told to copy the running configuration from a current working ASA and modify it on the current ASA.

Both ASAs have same firmware - 8.4.3
Ran crypto key generation rsa (Don't know if relevant as I am leaning how all the protocols are involved in VPN communication)

I copied the running configuration and thought I modified it correctly but when ASA startup configure was reload the logging loops with the following

%ASA-4-713157: IP = <I removed this as not sure if this is a security risk>, Timed out on initial contact to server [ XXX Deleted ]  Tunnel could not be established.
%ASA-4-752012: I.  Map Tag = _vpnc_cm.  Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= _vpnc_cm.  Map Sequence Number = 10.
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure tunnel-group' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP, executed 'clear configure tunnel-group'
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure crypto map _vpnc_cm' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP, executed 'clear configure crypto map _vpnc_cm'
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = _vpnc_cm.  Map Sequence Number = 10.
%ASA-4-752010: IKEv2 Doesn't have a proposal specified

Not sure if relevant but I added a VPN Client User to the Domain Account but I don't think this matters as I believe this issue relates that the ASA can't connect get a tunnel established?

Additional Information which may be helpful:
show crypto ikev1 sa

1   IKE Peer: <I removed this IP>
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_WAIT_MSG2

Lastly when I was googling I saw a comment stating  "appears you have not applied the crypto map to the interfaces" but I don't know which interface I should apply to as I don't want cause more issues? Thanks for any help and let me know what logs could help.

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros