ASA5515 - QM FSM error / failed to establish L2L SA when transferring large files - Page 2

CrazyHorse019 · ‎01-15-2019

Hi All,

I was hoping someone could help me with a problem I’m having - a little clarification or advice would be much appreciated:

The Issue: I have set a new backup server and I want to back up data from one of our production servers to the backup one. The servers are connected by a site-to-site tunnel between DC A and DC B - both using Cisco ASA 5515’s. The way I am transferring the file is through innobackup which uses SSH (port 22). I was transferring a 5gb file when all of a sudden it got to 4.6gb and dropped the connection. I tried SCP which also uses port 22 and it did the same thing. Then I used netcat and did the transfer again on a raw port and it still failed. So after seeing nothing in the log files and running the above tests I ruled out it was a port or ufw configuration issue, so I looked to the router for answers. ( It is important to give you guys context ). So I ran the debugging tool on the ASA and attempted the transfer again and bingo! - some logs for me!

FW A logs
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fbda978db0, mess id 0xd36ff5ab)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fb9d8fde4a0, mess id 0xd36ff5ab)!

FW B logs 
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29852230, mess id 0xd36ff5ab)!
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!kbs to gb
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!

So after looking this up on google i’ve come across two potential causes (there maybe more) - an ACL mismatch or a crypto map set security-association lifetime problem.

My Dilema - For the moment I have increased the crypto map set security-association lifetime to satisfy the size of the file transfer I require (and this works!) - but can’t help feel this is a bit of a hack to get around another issue. You see we have another DC that contains a backup and that is using the crypto map set security-association lifetime default and transfers files of comparable sizes just fine.

The reason I haven’t gone down changing the ACL yet is because there is already one FW A and FW B under the header ‘outside_crypto_map’ in the ACL Manager - is this ignored? Or do I need to add another entry? Both ACLs are configured as follows: Source: <internal network> Destination: <remote network> Service: IP Action: Allow

Thank you for your time!

CrazyHorse019 · ‎01-17-2019

MTU's are all set to 1500

Marius Gunnerud · ‎01-17-2019

--
Please remember to select a correct answer and rate helpful posts

Sheraz.Salim · ‎01-17-2019

instead of change the MTU. you can apply these commands.

crypto ipsec df-bit clear-df outside

crypto ipsec fragmentation before-encryption

please do not forget to rate.

Wayne.spq · ‎06-09-2020

Hi,

I'm just wondering did you finally fix the issue? I have a similar issue right now and looking for a way to fix it.

Wayne