Tunnel mismatch

wmurray · ‎03-12-2007

I have a tunnel between a PIX 515E version 7.2(2)and a Cisco 3800 version 12.3(11r). There is a mismatch somewere in the configs but I cannot find it. Any help would be appreciated. I have included the configs and the syslog errors.

Kamal Malhotra · ‎03-12-2007

Hi Bill,

Please notice the following log message :

Could not delete route for L2L peer that came in on a dynamic map. address: 167.18.19.0, mask: 255.0.0.0

It shows an 8 bit subnet mask. Please check the crypto ACLs on each device. Also the phase 1 lifetime is lower than that of phase 2. This is an incorrect implementation. Please make sure that the either the phase 1 lifetime is hiher than that of phase 2 or atleast equal.

HTH,

Please rate if it helps,

Regards,

Kamal

wmurray · ‎03-13-2007

Why is an 8-bit mask an issue?

Kamal Malhotra · ‎03-13-2007

Hi,

Its not if it the same on both the ends. Just make sure that it is the same on both the ends.

HTH,

Kamal

Kamal Malhotra · ‎03-14-2007

Hi,

Has your problem been resolved?

Regards,

Kamal

hozulumba · ‎02-02-2012

I came across the same problem:

QM FSM error (P2 struct ....

IKE QM Responder FSM error history (struct &0x254e780) , : QM_DONE,....

sending delete/delete with reason message

Removing peer from correlator table failed, no match!

Could not delete route for L2L peer that came in on a dynamic map.

The problem was that a dynamic crypto map for client VPN connecions was conflicting with a Static crypto map.

because the priority for dynamic map was higher than the L2L map.

if you have something like this:

crypto map mapname 10 ipsec-isakmp dynamic outside_dyn_map

crypto map mapname 11 match address map_ACL

change it to something like this

crypto map mapname 11 match address map_ACL

crypto map mapname 6000 ipsec-isakmp dynamic outside_dyn_map

making the dynamic map the last on your priority. This fixed my problem although the QM FSM error is quite generic.