Site-2-Site Vpn

jack samuel · ‎03-27-2012

Hello,

I want to establish vpn in between ASA ------- other vendor Firewall

I m facing issues in phase 2 of IPsec vpn connection, Attached are the debug logs from ASA.I found the QM FSM error in the logs, Cisco Docs says the solution for this error: that both side access-list should match and transform-set should match.

Even though i m matching the acccess-list and transform set the tunnel is coming UP from one end only i.e from the other vendor firewall he is able to ping the internal network behind ASA but internal network when they initiate a conection to other vendor firewall success rate is zero.

How it is possible that the other vendor is able to ping when tunnel is not established from ASA end.???? according to the logs ASA is stuck in phase 2.

Thanks

jack samuel · ‎03-28-2012

Hello,

Any hints please

Thanks

Diego Armando Cambronero Arias · ‎03-28-2012

config??

Diego Cambronero

CCIE 34000

rizwanr74 · ‎03-28-2012

If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.

IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

jack samuel · ‎03-29-2012

Hello rizwan,

Here are the configs for dynamic and static crypto map, According to below i hope the configs are correct.

crypto ipsec ikev1 transform-set asa esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set asa1 esp-aes esp-sha-hmac

crypto dynamic-map cisco 1 match address vpn

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto dynamic-map remote 8 set ikev1 transform-set asa

crypto map crypto 6 match address faq

crypto map crypto 6 set peer X.X.X.X

crypto map crypto 6 set ikev1 transform-set asa asa1

crypto map crypto 10 ipsec-isakmp dynamic cisco

crypto map crypto 20 ipsec-isakmp dynamic remote

crypto map crypto interface outside

rizwanr74 · ‎03-30-2012

remove these all.

crypto dynamic-map cisco 1 match address vpn

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto dynamic-map remote 8 set ikev1 transform-set asa

----------------

copy these lines.

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto map cisco 65535 ipsec-isakmp dynamic cisco

jack samuel · ‎03-30-2012

Dear Rizwan,

i have dynamic map Cisco which is my branch on ADSL router which initiates a connection to HO that is higher than static either you put number 10 or 65535 they both are higher than static , Just have a look on the matching colours, and my static crypto map are prefered than the dynamic.

crypto ipsec ikev1 transform-set asa esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set asa1 esp-aes esp-sha-hmac

crypto dynamic-map cisco 1 match address vpn

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto dynamic-map remote 8 set ikev1 transform-set asa

crypto map crypto 6 match address faq

crypto map crypto 6 set peer X.X.X.X

crypto map crypto 6 set ikev1 transform-set asa asa1

crypto map crypto 10 ipsec-isakmp dynamic cisco

crypto map crypto 20 ipsec-isakmp dynamic remote

crypto map crypto interface outside

I have 1 more question for you:

the transform set should be same on both the end of the vpn peers ??? if they are different for example esp-3des esp-md5-hmac & esp-aes esp-sha-hmac on one end and esp-3des esp-md5-hmac only on the other end will the phase II will come up.????

Thanks