https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822251#M492441 <HTML><HEAD></HEAD><BODY><P>Hmmm I can ping\rdp\whatever from the 192.168.254.0/24 (firebox) side of the tunnel into the 192.168.240.0/24(ASA) side, but not the other way around.</P></BODY></HTML> Fri, 25 Nov 2011 17:37:58 GMT William Gurling 2011-11-25T17:37:58Z https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822250#M492440 <P>I am really new at this, so please forgive my ignorace. I've configured, to the best of my ability, a tunnel between my asa5505 and a firebox X using this guide, I had to feel my way through it since the ASDM in the guide is an older version:</P><P></P><P><A class="jive-link-external-small" href="http://www.watchguard.com/help/docs/edge/10/en-us/content/en-us/bovpn/manual/manual_bovpn_edge_cisco.html" target="_blank">http://www.watchguard.com/help/docs/edge/10/en-us/content/en-us/bovpn/manual/manual_bovpn_edge_cisco.html</A></P><P></P><P>When I attempt to bring the tunnel up using Ping Inside on the ASA to one of the machines on the watchguard subnet I get the following error messages, even though the ping states 100% success. I cannot ping, rdp or anything out from any of the hosts on my 192.168.240.0/24 network to the 192.168.254.0/24 network whatseover.</P><P></P><P>Can anyone point me in the right direction?</P><P></P><P>Nov 25 11:49:54 [IKEv1 DECODE]: IP = 204.116.253.76, IKE Responder starting QM: msg id = 108a9682</P><P>Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 277517954</P><P>Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, sending notify message</P><P>Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, Can't send p2 'Payload malformed' notify message: no SPIs (msg id 108a9682)!</P><P>Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, QM FSM error (P2 struct &amp;0xc9d588b0, mess id 0x108a9682)!</P><P>Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, IKE QM Responder FSM error history (struct &amp;0xc9d588b0)&nbsp; &lt;state&gt;, &lt;event&gt;:&nbsp; QM_DONE, EV_ERROR--&gt;QM_BLD_MSG2, EV_VALIDATE_FAIL--&gt;QM_BLD_MSG2, EV_VALIDATE_MSG--&gt;QM_BLD_MSG2, EV_DECRYPT_OK--&gt;QM_BLD_MSG2, NullEvent--&gt;QM_BLD_MSG2, EV_DECRYPT_MSG--&gt;QM_BLD_MSG2, EV_INIT_RESPONDER--&gt;QM_START, EV_RCV_MSG</P><P>Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, sending delete/delete with reason message</P><P>Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, Removing peer from correlator table failed, no match!</P> Mon, 11 Mar 2019 21:55:15 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822250#M492440 William Gurling 2019-03-11T21:55:15Z https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822251#M492441 <HTML><HEAD></HEAD><BODY><P>Hmmm I can ping\rdp\whatever from the 192.168.254.0/24 (firebox) side of the tunnel into the 192.168.240.0/24(ASA) side, but not the other way around.</P></BODY></HTML> Fri, 25 Nov 2011 17:37:58 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822251#M492441 William Gurling 2011-11-25T17:37:58Z https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822252#M492442 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>verify your crypto ACLs are mirrored on both tunnel endpoints.</P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Fri, 25 Nov 2011 21:40:28 GMT https://community.cisco.com/t5/network-security/ipsec-tunnel-fail-phase-one-please-advise/m-p/1822252#M492442 cadet alain 2011-11-25T21:40:28Z