cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
0
Helpful
1
Replies

515e to 3005, phase 2 fails

bob
Level 1
Level 1

Good morning gentleman,

Im attempting to troubleshoot a remote pix 515e which is supposed to be connecting into my 3005. Below is the error messages i am recieving on the 3005. And a bit of the config. Some background info, the 2 boxes are on the same ISP, i have set on the 3005 to use group 2 for des,

23302 01/11/2005 08:50:03.550 SEV=4 AUTH/85 RPT=536

LAN-to-LAN tunnel to headend device 209.xxx.xxx.xxx disconnected: duration: 0:00:

32

23301 01/11/2005 08:50:03.550 SEV=4 AUTH/23 RPT=536 209.xxx.xxx.xxx

User [209.xxx.xxx.xxx] Group [209.xxx.xxx.xxx] disconnected: duration: 0:00:32

23300 01/11/2005 08:50:03.540 SEV=4 IKEDBG/97 RPT=1223 209.xxx.xxx.xxx

Group [209.xxx.xxx.xxx]

QM FSM error (P2 struct &0x3712d3c, mess id 0x94bda53a)!

23299 01/11/2005 08:49:31.530 SEV=4 AUTH/84 RPT=537

LAN-to-LAN tunnel to headend device 209.xxx.xxx.xxx connected

23297 01/11/2005 08:49:31.530 SEV=4 AUTH/22 RPT=620

User [209.xxx.xxx.xxx] Group [209.xxx.xxx.xxx] connected, Session Type: IPSec/LAN-

to-LAN

23296 01/11/2005 08:49:31.520 SEV=4 IKE/119 RPT=880 209.xxx.xxx.xxx

Group [209.xxx.xxx.xxx]

PHASE 1 COMPLETED

Below is the config of the 515e regarding isakmp and the crypto map

sysopt connection permit-ipsec

crypto ipsec transform-set aptset esp-des esp-md5-hmac

crypto map aptmap 10 ipsec-isakmp

crypto map aptmap 10 match address vpn

crypto map aptmap 10 set peer 209.xxx.xxx.xxx

crypto map aptmap 10 set transform-set aptset

crypto map aptmap interface outside

isakmp enable outside

isakmp key ******** address 209.xxx.xxx.xxx netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

1 Reply 1

ehirsel
Level 6
Level 6

On the pix run this command:

debug cry ipsec - this will get some error messages displayed on the pix with regards to phase 2 setup.

Insure that the acls are mirror images of each other on the pix and 3005.

Is nat being used at all?

Post the pix debug messages here, as that will help me fix your issue.