Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2127
  • Last Modified:

Cisco PIX 7.2 - Setting up L2TP RA VPN around Static L2L VPN Tunnels

Cisco PIX 515
Pix Ver: 7.2(4)
ASDM Ver: 5.2(4)

I recently upgraded our PIX from 6.3 to 7.2 in order to do L2TP/IPSEC VPN with our Windows Clients.  Currently we have 4 site to site static VPN tunnels which were all converted during the upgrade.  After installing ASDM, I ran the ASDM VPN Wizard following the instructions from the Cisco website for L2TP/ISA setup ( http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml ).  You can watch me running the wizard here ( http://screencast.com/t/VDvMYV5E1 ).  

When I attempt to connect from a remote Vista or XP machine, I get 'Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer.'  Watching the log in ASDM, I see PHASE 1 COMPLETED followed by QM FSM error (P2 struct &0x2dbce00, mess id 0x1)!, Removing peer from correlator table failed, no match!, Remove peer from peer table no match!.

When I searched the Cisco site for QM FSM error, only thing it mentioned was an issue with sequence numbers, but mentions that there can only be 1 dynamic map for each interface which I think may be part of the issue.

Full running config and debug attached (txt).  Modified external ip-addresses and passwords in the config for some security.

Here is a snip of the config for the crypto section, any help would be appriciated.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map dynmap 20 set transform-set myset
crypto dynamic-map dynmap 40 set transform-set TRANS_ESP_3DES_MD5
crypto map mymap 10 match address texas
crypto map mymap 10 set peer 72.245.149.xxx
crypto map mymap 10 set transform-set myset
crypto map mymap 11 match address oklahoma
crypto map mymap 11 set peer 69.8.25.xxx
crypto map mymap 11 set transform-set myset
crypto map mymap 12 match address canada
crypto map mymap 12 set peer 205.206.59.xxx
crypto map mymap 12 set transform-set myset
crypto map mymap 13 match address colorado
crypto map mymap 13 set peer 69.85.69.xxx
crypto map mymap 13 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 38400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2

Open in new window

edited724.txt
debug.txt
0
reighnman
Asked:
reighnman
1 Solution
 
reighnmanAuthor Commented:
I switched the ipsec and isk from md5 to sha and removed one of the extra dynamic maps I had that was wasted.  Everyone worked correctly after that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now