Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
2
Replies

Cisco Site to Site VPN Connection

rikeshs01
Level 1
Level 1

‎11-21-2014 09:09 AM - edited ‎03-03-2019 07:40 AM

Hi,

 

I am having an issue getting a site to site vpn setup to work. Here what the logs are showing me

4|Nov 21 2014|08:22:03|113019|||||Group = 0.0.0.0, Username = 0.0.0.0, IP = 0.0.0.0, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Nov 21 2014|08:22:03|713259|||||Group = 0.0.0.0, IP = 0.0.0.0, Session is being torn down. Reason: crypto map policy not found
3|Nov 21 2014|08:22:03|713902|||||Group = 0.0.0.0, IP = 0.0.0.0, Removing peer from correlator table failed, no match!
3|Nov 21 2014|08:22:03|713902|||||Group = 0.0.0.0, IP = 0.0.0.0, QM FSM error (P2 struct &0x9fb81748, mess id 0x85416ca4)!
3|Nov 21 2014|08:22:03|713061|||||Group = 0.0.0.0, IP = 0.0.0.0, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.5.0.0/255.255.0.0/0/0 local proxy 192.168.0.0/255.255.252.0/0/0 on interface Outside
6|Nov 21 2014|08:22:03|713905|||||Group =0.0.0.0, IP = 0.0.0.0, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence

 

I have replaced the public wan ip to 0.0.0.0 for other site. I have also made sure that are IKE1 policy matches, we are using 3des-sha and 3des-md5. The other end has a d link firewall. We are using cisco asa 5510, i made sure our pre shared key matches also. Please help.

Labels:
0 Helpful
2 Replies 2

David Johan Castro Fernandez
Level 3
Level 3

‎11-23-2014 10:53 AM

Hello,

 

Usually when you get issues with this errors: QM FSM error (P2...

It is because we have issue with the encryption domains, though make sure phase 2 is set up correctly, make sure the 2 VPN gateways have the pertinent matching phase 2 --> ACL--> Match address and the transform set.

 

Attach the show tech of both ends.

 

Please don't forget to rate and mark as correct the helpful post!

 

David Castro,
 

Regards,

 

 

0 Helpful

rikeshs01
Level 1
Level 1
In response to David Johan Castro Fernandez

‎11-24-2014 06:57 AM

Hi,

 

Sorry i am trying to understand, so that means we are going to nat the original address at my location since my local network is 192.168.0.0/22 network? I made sure our IKEv1 and v2 is matching properly. But i am still getting exact error. Phase1 does complete.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card