Solved

Cisco PIX 7.2 - Setting up L2TP RA VPN around Static L2L VPN Tunnels

Posted on 2008-06-10
1
2,118 Views
Last Modified: 2011-10-19
Cisco PIX 515
Pix Ver: 7.2(4)
ASDM Ver: 5.2(4)

I recently upgraded our PIX from 6.3 to 7.2 in order to do L2TP/IPSEC VPN with our Windows Clients.  Currently we have 4 site to site static VPN tunnels which were all converted during the upgrade.  After installing ASDM, I ran the ASDM VPN Wizard following the instructions from the Cisco website for L2TP/ISA setup ( http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml ).  You can watch me running the wizard here ( http://screencast.com/t/VDvMYV5E1 ).  

When I attempt to connect from a remote Vista or XP machine, I get 'Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer.'  Watching the log in ASDM, I see PHASE 1 COMPLETED followed by QM FSM error (P2 struct &0x2dbce00, mess id 0x1)!, Removing peer from correlator table failed, no match!, Remove peer from peer table no match!.

When I searched the Cisco site for QM FSM error, only thing it mentioned was an issue with sequence numbers, but mentions that there can only be 1 dynamic map for each interface which I think may be part of the issue.

Full running config and debug attached (txt).  Modified external ip-addresses and passwords in the config for some security.

Here is a snip of the config for the crypto section, any help would be appriciated.
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map dynmap 20 set transform-set myset

crypto dynamic-map dynmap 40 set transform-set TRANS_ESP_3DES_MD5

crypto map mymap 10 match address texas

crypto map mymap 10 set peer 72.245.149.xxx

crypto map mymap 10 set transform-set myset

crypto map mymap 11 match address oklahoma

crypto map mymap 11 set peer 69.8.25.xxx

crypto map mymap 11 set transform-set myset

crypto map mymap 12 match address canada

crypto map mymap 12 set peer 205.206.59.xxx

crypto map mymap 12 set transform-set myset

crypto map mymap 13 match address colorado

crypto map mymap 13 set peer 69.85.69.xxx

crypto map mymap 13 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 38400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash md5

 group 2

Open in new window

edited724.txt
debug.txt
0
Comment
Question by:reighnman
1 Comment
 

Accepted Solution

by:
reighnman earned 0 total points
ID: 21754763
I switched the ipsec and isk from md5 to sha and removed one of the extra dynamic maps I had that was wasted.  Everyone worked correctly after that.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
OSPF Cost 2 51
Random Terminal Server disconnections. 2 99
traffic flow without STP 9 45
VXLAN - same in VMWare NSX and Cisco Environments? 2 22
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now