05-05-2017 05:15 AM - edited 03-05-2019 08:28 AM
Hi guys
I'm changing the WAN IP on a remote site ASA. I've also applied the change on the VPN Concentrator at HQ
Concentrator HQ - Cisco 2800
Remote Office - Cisco ASA 5505
Concentrator config:
crypto isakmp key ******** address
Crypto Map "SDM_CMAP_1" 259 ipsec-isakmp
Description: Tunnel to RemoteSite
Peer = 212.26.211.244
Extended IP access list 2430
access-list 2430 permit ip 10.56.0.0 0.0.255.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.58.0 0.0.0.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.60.0 0.0.0.255 10.14.68.0 0.0.0.255
Current peer: 212.26.211.244
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
SDM_3DES,
}
ASA Config
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 91.144.123.94
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set nat-t-disable
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 91.144.123.94 ipsec-attributes
pre-shared-key ********
I've run the debug and I'm seeing the following:
May 05 04:13:35 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:13:35 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Session is being torn down. Reason: Lost Service
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xc930f018, mess id 0x6d5b00f1)!
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Session is being torn down. Reason: Phase 2 Mismatch
May 05 04:14:14 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xca094e10, mess id 0x5af80a24)!
May 05 04:14:14 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:14:24 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xca094e10, mess id 0x5af80a24)!
May 05 04:14:24 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:14:33 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xc930f018, mess id 0xec1ad49c)!
I've checked both sides and authentication, encryption, PSK matches up. I'm not sure what else it could be. I'd really appreciate some help.
Thank you :-)
05-05-2017 06:59 AM
The Peer IP you set in crypto map and tunnel group has IP 91.144.123.94.
crypto map Outside_map 20 set peer 91.144.123.94
tunnel-group 91.144.123.94 ipsec-attributes
But in debugs it is showing the IP 81.144.203.94.
Also please post the the ACL Outside_20_cryptomap
Have you added the following configuration on ASA?
crypto map Outside_map enable outside
crypto ikev1 enable outside
05-05-2017 08:32 AM
Thanks very much for your reply. The correct IP is 81
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 81.144.203.94
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set nat-t-disable
I'm at a loss as to what this could be. Any help would be really appreciated!
05-05-2017 08:37 AM
Hi BHconsultants88@,
Have you changed the IP in tunnel group too?
Also post the ACL configuration of Outside_20_cryptomap
05-05-2017 01:03 PM
I notice this message in what you posted
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Session is being torn down. Reason: Phase 2 Mismatch
This suggests that the phase 1 negotiation was successful but the phase 2 negotiation was not successful. Perhaps more detail about how they are configured would be helpful.
HTH
Rick
05-06-2017 09:54 AM
HI Rick, thanks for your reply. Here's the config on Concentrator and ASA
CONCENTRATOR
Crypto Map "SDM_CMAP_1" 259 ipsec-isakmp
Description: Tunnel to RemoteSite
Peer = 212.26.211.244
Extended IP access list 2430
access-list 2430 permit ip 10.56.0.0 0.0.255.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.58.0 0.0.0.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.60.0 0.0.0.255 10.14.68.0 0.0.0.255
Current peer: 212.26.211.244
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
SDM_3DES,
}
crypto isakmp key ******** address 212.26.211.244
ip route 10.14.68.0 255.255.255.0 212.26.211.244
ASA
crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 81.144.203.94
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set nat-t-disable
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 81.144.203.94 ipsec-attributes
pre-shared-key ********
Would really appreciate any assistance, this has really flummoxed me!
05-06-2017 09:59 PM
Hi BHconsultants88@,
On ASA, your acl must match the following and set pfs under crypto map.
access-list Outside_20_cryptomap permit ip 10.14.68.0 0.0.0.255 10.56.0.0 0.0.255.255
access-list Outside_20_cryptomap permit ip 10.14.68.0 0.0.0.255 165.2.58.0 0.0.0.255
access-list Outside_20_cryptomap permit ip 10.14.68.0 0.0.0.255 165.2.60.0 0.0.0.255
crypto map Outside_map 20 set pfs group 2
05-05-2017 09:58 PM
hi,
you got PFS configured on the 2800. make sure you also have this configured on the ASA.
or alternatively, you could remove it on 2800 to have successful IPSec SA.
PFS (Y/N): Y
DH group: group2
2800
crypto map SDM_CMAP_1 ipsec-isakmp
set pfs group2
ASA
crypto map Outside_map 20 set pfs group2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide