Seni
asked on
Cisco ASA P2P Error
Hi Experts,
I'm troubleshooting two p2p VPN with a slight similarity of error.
The first one, I get the below output from debug.
Oct 26 11:12:25 [IKEv1]: Group = 192.144.14.83, IP = 192.144.14.83, Removing peer from correlator table failed, no match!
Oct 26 11:12:25 [IKEv1]: Group = 192.144.14.83, IP = 192.144.14.83, Session is being torn down. Reason: User Requested
The second one, I get the following error
Oct 26 11:12:26 [IKEv1]: Group = 192.168.10.6, IP = 192.168.10.6, QM FSM error (P2 struct &0xb3afda28, mess id 0xbf868f06)!
Oct 26 11:12:26 [IKEv1]: Group = 192.168.10.6, IP = 192.168.10.6, Removing peer from correlator table failed, no match!
Oct 26 11:12:26 [IKEv1]: Group = 192.168.10.6, IP = 192.168.10.6, Session is being torn down. Reason: Phase 2 Mismatch
After searching in google, most of the errors were supposed to be caused by
1. Mismatch ACL
2. Dynamic crypto with a lower sequence number than static crypto map.
I tried to look at these suggestion but could not find the problem. What else could be stopping the tunnel from coming up.
I'm troubleshooting two p2p VPN with a slight similarity of error.
The first one, I get the below output from debug.
Oct 26 11:12:25 [IKEv1]: Group = 192.144.14.83, IP = 192.144.14.83, Removing peer from correlator table failed, no match!
Oct 26 11:12:25 [IKEv1]: Group = 192.144.14.83, IP = 192.144.14.83, Session is being torn down. Reason: User Requested
The second one, I get the following error
Oct 26 11:12:26 [IKEv1]: Group = 192.168.10.6, IP = 192.168.10.6, QM FSM error (P2 struct &0xb3afda28, mess id 0xbf868f06)!
Oct 26 11:12:26 [IKEv1]: Group = 192.168.10.6, IP = 192.168.10.6, Removing peer from correlator table failed, no match!
Oct 26 11:12:26 [IKEv1]: Group = 192.168.10.6, IP = 192.168.10.6, Session is being torn down. Reason: Phase 2 Mismatch
After searching in google, most of the errors were supposed to be caused by
1. Mismatch ACL
2. Dynamic crypto with a lower sequence number than static crypto map.
I tried to look at these suggestion but could not find the problem. What else could be stopping the tunnel from coming up.
Ernie Beek
It might be easier if you could post the configs so we can have a look at it. Offcourse you can blank out any private infromation in it.
Normally the QM FSM error means that the access lists for the tunnel on the pair of devices are not matching.
So if you have:
permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0
permit ip c.c.c.c 255.255.255.0 d.d.d.d 255.255.255.0
On one end, it should be:
permit ip b.b.b.b 255.255.255.0 a.a.a.a 255.255.255.0
permit ip d.d.d.d 255.255.255.0 c.c.c.c 255.255.255.0
on the other end, nothing more and nothing less.
Normally you use two accesslists: one for the nat exempt and a second to determine what traffic goes through the vpn. The lists are normally the same though.
So if you have:
permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0
permit ip c.c.c.c 255.255.255.0 d.d.d.d 255.255.255.0
On one end, it should be:
permit ip b.b.b.b 255.255.255.0 a.a.a.a 255.255.255.0
permit ip d.d.d.d 255.255.255.0 c.c.c.c 255.255.255.0
on the other end, nothing more and nothing less.
Normally you use two accesslists: one for the nat exempt and a second to determine what traffic goes through the vpn. The lists are normally the same though.
ASKER
hi,
For the first p2p VPN, we have managed to resolve it by changing the transform-set from *esp-3des esp-md5-hmac* to *esp-3des esp-sha-hmac*
This change resolved the configuration issue and the tunnel came up.
I'm trying to get in touch with the remote engineer for the second and implement the same setting.
Thanks,
Elly
For the first p2p VPN, we have managed to resolve it by changing the transform-set from *esp-3des esp-md5-hmac* to *esp-3des esp-sha-hmac*
This change resolved the configuration issue and the tunnel came up.
I'm trying to get in touch with the remote engineer for the second and implement the same setting.
Thanks,
Elly
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After troubleshooting and looking at the problem of my VPN. I realized that the suggestions made by other experts where not the problem. I changed my configuration base on my own research and I managed to resolved the problem. Henceforth, my comment and self research managed to solve the problem.