Cisco 851 and ASA qm fsm error

I have a Cisco 881 running as EZVPN Server.  It has the IOS that uses zone security.  I have individual users VPN into it with no problem.  However, when I have an ASA 5505 attempt to EZVPN Remote into it, the tunnel is established, but then I get the "qm fsm error p2 struct" error on the remote.  With the new IOS I don't know where the corresponding isakmp is actually setup.  I have attached the 881 config.  Thanks ahead of time for your thoughts!
LVL 2
globalonline2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

globalonline2Author Commented:
Sorry, Cisco 881
881-Configuration.txt
0
ptchubaCommented:
i'm assuming that you are using Network Extension Mode on the ASA. Check that your network behind the ASA does not overlap with the networks on the 881.

Let me know
Peter C.
0
globalonline2Author Commented:
No, client mode, and no overlap.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

netnounoursCommented:
The problem seems to be on phase 2 of the negociation. Check if you have the same parameters set on both sides for the IPSec piece of the VPN (eg : PFS group)
0
globalonline2Author Commented:
I agree, it is on phase 2.  However, it's my understanding that the VPN server intiates the negotiation with whatever profile I have specified.  The EZVPN remote client doesn't have a setup for IPSec or ISAKMP.
0
netnounoursCommented:
Try removing "set isakmp-profile ciscocp-ike-profile-1" from the IPSec profile.
0
globalonline2Author Commented:
I removed that entry to no avail.  Here are additional observations:

On the 881 there are no errors shown.  In debug mode it shows the tennel negotiation, and shows it being established.  However, there are no packets exchanges with the ASA - and there is no route setup for the IP it assigns the ASA from the VPN DHCP pool.

On the ASA.  It is where the error shows up in logs for the Phase 2 negotiation.  It shows the tunnel established, but  always gets the qm fsm error.  We have another ASA5510 that it works with just fine, but not the 881 router.
0
globalonline2Author Commented:
Opened Cisco TAC.  After several techs and 7 hours, it was determined that the software on the 881 does not support the ASA VPN Remote client on a Virtual Template.  So a seperate ISAKMP Profile was created for use with an ASA.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.