03-27-2012 12:01 PM - edited 03-11-2019 03:47 PM
Hello,
I want to establish vpn in between ASA ------- other vendor Firewall
I m facing issues in phase 2 of IPsec vpn connection, Attached are the debug logs from ASA.I found the QM FSM error in the logs, Cisco Docs says the solution for this error: that both side access-list should match and transform-set should match.
Even though i m matching the acccess-list and transform set the tunnel is coming UP from one end only i.e from the other vendor firewall he is able to ping the internal network behind ASA but internal network when they initiate a conection to other vendor firewall success rate is zero.
How it is possible that the other vendor is able to ping when tunnel is not established from ASA end.???? according to the logs ASA is stuck in phase 2.
Thanks
03-28-2012 01:28 PM
Hello,
Any hints please
Thanks
03-28-2012 03:36 PM
config??
Diego Cambronero
CCIE 34000
03-28-2012 07:19 PM
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.
IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
03-29-2012 02:17 PM
Hello rizwan,
Here are the configs for dynamic and static crypto map, According to below i hope the configs are correct.
crypto ipsec ikev1 transform-set asa esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set asa1 esp-aes esp-sha-hmac
crypto dynamic-map cisco 1 match address vpn
crypto dynamic-map cisco 1 set ikev1 transform-set asa
crypto dynamic-map cisco 1 set reverse-route
crypto dynamic-map remote 8 set ikev1 transform-set asa
crypto map crypto 6 match address faq
crypto map crypto 6 set peer X.X.X.X
crypto map crypto 6 set ikev1 transform-set asa asa1
crypto map crypto 10 ipsec-isakmp dynamic cisco
crypto map crypto 20 ipsec-isakmp dynamic remote
crypto map crypto interface outside
03-30-2012 07:07 AM
remove these all.
crypto dynamic-map cisco 1 match address vpn
crypto dynamic-map cisco 1 set ikev1 transform-set asa
crypto dynamic-map cisco 1 set reverse-route
crypto dynamic-map remote 8 set ikev1 transform-set asa
----------------
copy these lines.
crypto dynamic-map cisco 1 set ikev1 transform-set asa
crypto dynamic-map cisco 1 set reverse-route
crypto map cisco 65535 ipsec-isakmp dynamic cisco
03-30-2012 12:22 PM
Dear Rizwan,
i have dynamic map Cisco which is my branch on ADSL router which initiates a connection to HO that is higher than static either you put number 10 or 65535 they both are higher than static , Just have a look on the matching colours, and my static crypto map are prefered than the dynamic.
crypto ipsec ikev1 transform-set asa esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set asa1 esp-aes esp-sha-hmac
crypto dynamic-map cisco 1 match address vpn
crypto dynamic-map cisco 1 set ikev1 transform-set asa
crypto dynamic-map cisco 1 set reverse-route
crypto dynamic-map remote 8 set ikev1 transform-set asa
crypto map crypto 6 match address faq
crypto map crypto 6 set peer X.X.X.X
crypto map crypto 6 set ikev1 transform-set asa asa1
crypto map crypto 10 ipsec-isakmp dynamic cisco
crypto map crypto 20 ipsec-isakmp dynamic remote
crypto map crypto interface outside
I have 1 more question for you:
the transform set should be same on both the end of the vpn peers ??? if they are different for example esp-3des esp-md5-hmac & esp-aes esp-sha-hmac on one end and esp-3des esp-md5-hmac only on the other end will the phase II will come up.????
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide