cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
70181
Views
0
Helpful
7
Replies

QM FSM error

stu
Level 1
Level 1

Keep getting a QM FSM error after a lan-lan connection gets created. Phase 1 completes and thats it. After 32 seconds the connection disconnects. Here is the log that gets created -

"1505 08/11/2005 10:56:02.450 SEV=4 IKE/41 RPT=90 151.193.130.208

IKE Initiator: New Phase 1, Intf 2, IKE Peer 151.193.130.208

local Proxy Address 167.206.199.200, remote Proxy Address 151.193.130.208,

SA (L2L: TSabreB2B)

1509 08/11/2005 10:56:02.890 SEV=5 IKE/73 RPT=83 151.193.130.208

Responder forcing change of IKE rekeying duration from 86400 to 3600 seconds

Group [L2L: TSabreB2B]

PHASE 1 COMPLETED

User [L2L: TSabreB2B] Group [L2L: TSabreB2B] connected, Session Type: IPSec/LAN-

1511 08/11/2005 10:56:02.980 SEV=4 AUTH/22 RPT=27

User [L2L: TSabreB2B] Group [L2L: TSabreB2B] connected, Session Type: IPSec/LAN-

to-LAN

1513 08/11/2005 10:56:02.980 SEV=4 AUTH/84 RPT=20

LAN-to-LAN tunnel to headend device 151.193.130.208 connected

1514 08/11/2005 10:56:35.000 SEV=4 IKEDBG/0 RPT=19

QM FSM error (P2 struct &0x3799b50, mess id 0x2dd5445a)!

1515 08/11/2005 10:56:35.010 SEV=4 AUTH/23 RPT=19 151.193.130.208

User [L2L: TSabreB2B] Group [L2L: TSabreB2B] disconnected: duration: 0:00:32

1516 08/11/2005 10:56:35.010 SEV=4 AUTH/85 RPT=19

LAN-to-LAN tunnel to headend device 151.193.130.208 disconnected: duration: 0:00

:32"

We have a 3005 concentrator connecting to a Pix at our vendors side. I have no access to any Pix configurations except for the access list.

Thought I had setup the connection correctly, but I guess I am missing somthing.

Thanks in advance for any help.

Stu

7 Replies 7

umedryk
Level 5
Level 5

You could try one of these : On the 3000 series concentrator, if you had configured for the LAN 2 LAN Network Autodiscovery, change it to None Change from host to network in the network-list.

aaberg
Level 1
Level 1

I'm having a similar problem on a CVPN 3015. In my case the remote peer is a Netscreen that's 100% managed by the remote site. I have no access to the config at all.

My log shows:

20408 09/01/2005 15:08:20.480 SEV=12 IKEDECODE/7 RPT=12299

IKE Initiator sending Initial Contact

20409 09/01/2005 15:08:20.480 SEV=9 IKEDBG/0 RPT=63876 7.33.3.62

Group [7.33.3.62]

constructing qm hash

20410 09/01/2005 15:08:20.480 SEV=12 IKEDECODE/4 RPT=63455

IKE Initiator sending 1st QM pkt: msg id = 58f8d5f3

20411 09/01/2005 15:08:20.480 SEV=8 IKEDBG/0 RPT=63877 7.33.3.62

SENDING Message (msgid=58f8d5f3) with payloads :

HDR + HASH (8) + SA (1)

total length : 180

20679 09/01/2005 15:08:52.480 SEV=4 IKEDBG/0 RPT=63948

QM FSM error (P2 struct &0x5ee4180, mess id 0x58f8d5f3)!

20680 09/01/2005 15:08:52.480 SEV=7 IKEDBG/65 RPT=54949 7.33.3.62

Group [7.33.3.62]

IKE QM Initiator FSM error history (struct &0x5ee4180)

, :

QM_DONE, EV_ERROR

QM_WAIT_MSG2, EV_TIMEOUT

QM_WAIT_MSG2, NullEvent

QM_SND_MSG1, EV_SND_MSG

20685 09/01/2005 15:08:52.480 SEV=9 IKEDBG/0 RPT=63949

sending delete/delete with reason message

Local and Remote Network lists show class c networks and routing is set to none. Keepalives are also disabled because the Netscreen doesn't support them.

If anyone has an idea what is causing this I'd really like to know.

Thanks!!

Hi,

I found i had a similar issue, whereby by network access lists were set as 10.0.0.0/0.0.0.255 for each site.

I had site C, connecting to site B, which in turn connected to site A.

Site A, had a large number of 10.x.x.x networks, where as sites B and C only had the one, but site B needed to connect to multiple sites behind site A.

As a test, I changed the network of the remote site (site C) to a 192.168.x.x address and it worked fine,no other changes other than the network list.

Be sure your networks lists match at each end.

Hope this helps.

I had an error like that and I resolved removing/enabling PFS from both sides.

You could try that

Gianrico

Thank you, Gianrico.  Fixed my problem and saved me a lot of time :-)

enabling PFS on both sides fixed it for me, too. asa5510 <--> sonicwall tz vpn, FYI.

 

Thanks!

I was facing that issue but now resolved. thanks a lot GIANRICO
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: