Scott, Can you provide debugs from the ASA, code versions on both devices and your associated no-nat ACLs?
Assuming you have nothing else logging to monitor, you can enable 'logging class vpn monitor debug' and throw up a term mon to gather inbound messages to the ASA from the PIX side. You can gather the information on the PIX with a debug cry isa 2 and then initiate interesting traffic from the ASA using the following, the more valuable information will be on the receiving end. It really doesn't matter which side you enable as the receiver, but I try to stay away from pre 7.x code on the PIXes. packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed Phase: 10 or 11 should be subtype encrypt. If it fails the first time, run it again, the negotiation process causes the first packet to fail as the tunnel is being brought. This type of traffic will also give you your debug information and help you figure out where the failure is. -ryan -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott Granados Sent: Tuesday, September 01, 2009 8:29 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel Hi, I have a Pix out in the field and an ASA5520 that I'm trying to configure to pass L2L traffic. I keep getting an error that says IKEV1 IP=a.b.c.d removing peer from peer table failed, no match ip=a.b.c.d unable to remove peer table entry What am I doing wrong? Here are the important config bits asa-5520 crypto map crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2 vpn-transform3 crypto dynamic-map dynmap 10 set reverse-route crypto map vpn-ra-map 10 match address ny-vpn-acl crypto map vpn-ra-map 10 set peer ny-fw-outside crypto map vpn-ra-map 10 set transform-set vpn-transform2 crypto map vpn-ra-map 10 set reverse-route crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap crypto map vpn-ra-map interface outside ISAKMP isakmp enable outside isakmp policy 5 authentication pre-share isakmp policy 5 encryption aes-256 isakmp policy 5 hash sha isakmp policy 5 group 7 isakmp policy 5 lifetime 3600 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 5 isakmp policy 10 lifetime 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 isakmp policy 30 authentication pre-share isakmp policy 30 encryption aes-192 isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 28800 isakmp nat-traversal 20 isakmp reload-wait and the acl access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0 255.255.255.192 access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0 10.18.15.0 255.255.255.192 access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0 10.18.15.0 255.255.255.192 access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0 10.18.15.0 255.255.255.192 access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0 255.255.255.192 access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0 255.255.255.192 TUNNEL GROUP tunnel-group 208.37.161.98 type ipsec-l2l tunnel-group 208.37.161.98 general-attributes tunnel-group 208.37.161.98 ipsec-attributes pre-shared-key * peer-id-validate nocheck PIX CRYPTO MAP and ISAKMP crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac crypto map map1 10 ipsec-isakmp crypto map map1 10 match address vpn-1 crypto map map1 10 set peer vpnc crypto map map1 10 set transform-set set1 crypto map map1 interface outside isakmp enable outside isakmp key * address vpnc netmask 255.255.255.255 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 28800 ACL access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 255.255.0.0 access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0 255.255.240.0 access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 255.254.0.0 access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0 255.255.0.0 access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0 255.255.0.0 access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 255.255.0.0 )note on the ASA I use individual /24's and shortened the ACL for ease of reasing. I do this to exclued 10.18.14.0/24 from the tunnels since that houses the ASA's inside interface and client access) Any pointers would be appreciated. Thanks Scott _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/