I'm using a Cisco ASA device as my customer gateway in Amazon VPC. When I try to establish a virtual private network (VPN) connection to my VPC, I receive the error Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy on my customer gateway. How do I resolve this error?

In established VPN connections, the standby tunnel can trigger this error in some Cisco ASA configurations. For more information, see Troubleshooting Cisco ASA Customer Gateway Connectivity.

Note: This specific error message pertains to Cisco ASA devices. However, the resolution applies to any customer gateway that uses a policy-based VPN or route-based VPN with a non-default proxy ID.

Be sure that your network traffic is initiated from your local network on the customer gateway to your VPC.

Configure route-based VPN connections with default proxy IDs if your device supports it.

Your Customer Gateway

Example: Cisco ASA Device (customer gateway configuration example)

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-09-30

Updated: 2018-10-15