Removing peer from correlator table failed, no match!

When you are setting a site to site VPN between two Cisco ASA IPSEC peers you may find it useful to turn on the debug command for phase 1 tunnel initiation. Phase 1 uses a key exchange protocol called ISAKMP. With this in mind I often turn on the Crypto ISAKMP debugging on the command line to provide me with useful feedback when setting up a vpn. This is done using the following command: Please note the trailing 8 is the level of debugging information you want sent to your console. This is configurable between 1-255. When you attempt to bring up the VPN by sending some "interesting traffic" you should see a lot of debug information from the IKE engine [IKEv1]. Quite often you will see a message like this Removing peer from correlator table failed, no match!

Subnet Mis-Match

This is very often because the VPN interesting traffic access control lists do not match on both ends of the VPN - both ASAs. For example if I was setting up a VPN between a network of 172.21.2.0 / 21 and 192.168.2.0 / 24 my access lists should reflect this exactly at both ends. Like so: However, if you were to accidently (very easy if you are working with a 3rd party who is administering the remote VPN) have an ACL like this: That would like throw up an error and not allow the VPN to be established.

Perfect forward secrecy Mis-match

This setting can prevent cause the "no match" error. So check that both nodes either have use "perfect forward secrecy" or don't have use "perfect forward secrecy". If one endpoint (ASA) of the VPN uses it and the other doesn't that will cause this error.