?
Solved

Cisco PIX 7.2 - Setting up L2TP RA VPN around Static L2L VPN Tunnels

Posted on 2008-06-10
1
Medium Priority
?
2,123 Views
Last Modified: 2011-10-19
Cisco PIX 515
Pix Ver: 7.2(4)
ASDM Ver: 5.2(4)

I recently upgraded our PIX from 6.3 to 7.2 in order to do L2TP/IPSEC VPN with our Windows Clients.  Currently we have 4 site to site static VPN tunnels which were all converted during the upgrade.  After installing ASDM, I ran the ASDM VPN Wizard following the instructions from the Cisco website for L2TP/ISA setup ( http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml ).  You can watch me running the wizard here ( http://screencast.com/t/VDvMYV5E1 ).  

When I attempt to connect from a remote Vista or XP machine, I get 'Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer.'  Watching the log in ASDM, I see PHASE 1 COMPLETED followed by QM FSM error (P2 struct &0x2dbce00, mess id 0x1)!, Removing peer from correlator table failed, no match!, Remove peer from peer table no match!.

When I searched the Cisco site for QM FSM error, only thing it mentioned was an issue with sequence numbers, but mentions that there can only be 1 dynamic map for each interface which I think may be part of the issue.

Full running config and debug attached (txt).  Modified external ip-addresses and passwords in the config for some security.

Here is a snip of the config for the crypto section, any help would be appriciated.
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map dynmap 20 set transform-set myset
crypto dynamic-map dynmap 40 set transform-set TRANS_ESP_3DES_MD5
crypto map mymap 10 match address texas
crypto map mymap 10 set peer 72.245.149.xxx
crypto map mymap 10 set transform-set myset
crypto map mymap 11 match address oklahoma
crypto map mymap 11 set peer 69.8.25.xxx
crypto map mymap 11 set transform-set myset
crypto map mymap 12 match address canada
crypto map mymap 12 set peer 205.206.59.xxx
crypto map mymap 12 set transform-set myset
crypto map mymap 13 match address colorado
crypto map mymap 13 set peer 69.85.69.xxx
crypto map mymap 13 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 38400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2

Open in new window

edited724.txt
debug.txt
0
Comment
Question by:reighnman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
reighnman earned 0 total points
ID: 21754763
I switched the ipsec and isk from md5 to sha and removed one of the extra dynamic maps I had that was wasted.  Everyone worked correctly after that.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question