Solved

Cisco PIX 7.2 - Setting up L2TP RA VPN around Static L2L VPN Tunnels

Posted on 2008-06-10
1
2,121 Views
Last Modified: 2011-10-19
Cisco PIX 515
Pix Ver: 7.2(4)
ASDM Ver: 5.2(4)

I recently upgraded our PIX from 6.3 to 7.2 in order to do L2TP/IPSEC VPN with our Windows Clients.  Currently we have 4 site to site static VPN tunnels which were all converted during the upgrade.  After installing ASDM, I ran the ASDM VPN Wizard following the instructions from the Cisco website for L2TP/ISA setup ( http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml ).  You can watch me running the wizard here ( http://screencast.com/t/VDvMYV5E1 ).  

When I attempt to connect from a remote Vista or XP machine, I get 'Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer.'  Watching the log in ASDM, I see PHASE 1 COMPLETED followed by QM FSM error (P2 struct &0x2dbce00, mess id 0x1)!, Removing peer from correlator table failed, no match!, Remove peer from peer table no match!.

When I searched the Cisco site for QM FSM error, only thing it mentioned was an issue with sequence numbers, but mentions that there can only be 1 dynamic map for each interface which I think may be part of the issue.

Full running config and debug attached (txt).  Modified external ip-addresses and passwords in the config for some security.

Here is a snip of the config for the crypto section, any help would be appriciated.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map dynmap 20 set transform-set myset
crypto dynamic-map dynmap 40 set transform-set TRANS_ESP_3DES_MD5
crypto map mymap 10 match address texas
crypto map mymap 10 set peer 72.245.149.xxx
crypto map mymap 10 set transform-set myset
crypto map mymap 11 match address oklahoma
crypto map mymap 11 set peer 69.8.25.xxx
crypto map mymap 11 set transform-set myset
crypto map mymap 12 match address canada
crypto map mymap 12 set peer 205.206.59.xxx
crypto map mymap 12 set transform-set myset
crypto map mymap 13 match address colorado
crypto map mymap 13 set peer 69.85.69.xxx
crypto map mymap 13 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 38400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2

Open in new window

edited724.txt
debug.txt
0
Comment
Question by:reighnman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
reighnman earned 0 total points
ID: 21754763
I switched the ipsec and isk from md5 to sha and removed one of the extra dynamic maps I had that was wasted.  Everyone worked correctly after that.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
decoding the error message TEI_ASSIGNED 8 91
Cisco Wireless Access Controller 3 35
Cisco Switch slow_Faulty Link 7 26
Cisco Nexus 5 14
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question