01-15-2019 06:03 AM - edited 02-21-2020 08:40 AM
Hi All,
I was hoping someone could help me with a problem I’m having - a little clarification or advice would be much appreciated:
The Issue: I have set a new backup server and I want to back up data from one of our production servers to the backup one. The servers are connected by a site-to-site tunnel between DC A and DC B - both using Cisco ASA 5515’s. The way I am transferring the file is through innobackup which uses SSH (port 22). I was transferring a 5gb file when all of a sudden it got to 4.6gb and dropped the connection. I tried SCP which also uses port 22 and it did the same thing. Then I used netcat and did the transfer again on a raw port and it still failed. So after seeing nothing in the log files and running the above tests I ruled out it was a port or ufw configuration issue, so I looked to the router for answers. ( It is important to give you guys context ). So I ran the debugging tool on the ASA and attempted the transfer again and bingo! - some logs for me!
FW A logs Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match! Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fbda978db0, mess id 0xd36ff5ab)! Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match! Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fb9d8fde4a0, mess id 0xd36ff5ab)! FW B logs Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29852230, mess id 0xd36ff5ab)! Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1. Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match! Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)! Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match! Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)! Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!kbs to gb Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)! Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
So after looking this up on google i’ve come across two potential causes (there maybe more) - an ACL mismatch or a crypto map set security-association lifetime problem.
My Dilema - For the moment I have increased the crypto map set security-association lifetime to satisfy the size of the file transfer I require (and this works!) - but can’t help feel this is a bit of a hack to get around another issue. You see we have another DC that contains a backup and that is using the crypto map set security-association lifetime default and transfers files of comparable sizes just fine.
The reason I haven’t gone down changing the ACL yet is because there is already one FW A and FW B under the header ‘outside_crypto_map’ in the ACL Manager - is this ignored? Or do I need to add another entry? Both ACLs are configured as follows: Source: <internal network> Destination: <remote network> Service: IP Action: Allow
Thank you for your time!
01-17-2019 07:13 AM
MTU's are all set to 1500
01-17-2019 07:16 AM - edited 01-17-2019 07:30 AM
01-17-2019 07:23 AM
instead of change the MTU. you can apply these commands.
crypto ipsec df-bit clear-df outside
crypto ipsec fragmentation before-encryption
06-09-2020 09:06 AM
Hi,
I'm just wondering did you finally fix the issue? I have a similar issue right now and looking for a way to fix it.
Wayne
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: