Re: Tunnel Reject error on 3005 to 3030 Peer-to-Peer

pshuen · ‎01-24-2005

We need to have remote traffic come in as 10.2.2.x.

Main Site (3030)

IPSEC L2L config as follows: (Note: We are not natting anything on our LAN)

Local: 10.10.0.x

Remote: 10.2.2.x

Remote Site (3005)

A L2L NAT rule was created as follows:

Local: 10.5.1.x

Translate: 10.2.2.x

Remote: 10.10.0.x

IPSEC L2L config:

Local: 10.2.2.x

Remote: 10.10.0.x

The initial Connection type was set to “Originate Only” on the 3005 and “Bi-Directional” on the 3030. We later changed to “Bi-Directional” on both ends. We have verified that the Pre-Shared key,IKE and authentication are correct. We are running into misconfiguration and “Tunnel Reject” errors:

Group [3005 IP]

PHASE 1 COMPLETED

User [3005 IP] Group [3005 IP] connected, Session Type: IPSec/LAN-to-LAN

LAN-to-LAN tunnel to headend device [3005 IP] connected

Group [3005 IP]

Received remote Proxy Host data in ID Payload:

Address 3005 IP, Protocol 0, Port 0

Group [3005 IP]

Received local Proxy Host data in ID Payload:

Address [3030 IP], Protocol 0, Port 0

Remote L2L Peer Originate Only? Possible misconfiguration!

Group [3005 IP]

Tunnel rejected: Policy not found for Src: [3005 IP], Dst: [3030 IP]!

QM FSM error (P2 struct &0x5de0468, mess id 0x42b7161c)!

Group [3005 IP]

Sending IKE Delete With Reason message: No

User [3005 IP] Group [3005 IP] disconnected: duration: 0:00:00

LAN-to-LAN tunnel to headend device [3005 IP] disconnected: duration: 0:00:00

drolemc · ‎01-28-2005

The QM FSM error indicates a rceived packet is out of order or not received at all. You need to look at your network to see why this might be happening.