Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

Site-to-Site VPN ASA5510 - 887VA dropping every 20 seconds - help please

TRO Group
Level 1
Level 1

‎04-22-2013 03:39 AM - edited ‎03-04-2019 07:40 PM

Hi Guys

I have an issue with a site-to-site VPN tunnel between a ASA5510 and 887VA.  I  have two tunnels connected to the ASA and one seems to be affected where by the tunnel is disconnected and brought up around every 20 seconds.  The tunnel is re-established instantly but this break in transmission is causing application issues.

I wonder if you wonderful people might help me troubleshoot this issue.  Please be gentle i am no VPN expert.

Look forward to your suggestions

Kind Regards

Jonny

Labels:
0 Helpful
2 Replies 2

TRO Group
Level 1
Level 1

‎04-22-2013 03:59 AM

After running a debug i have the follwing outputted:

>Apr 22 11:56:52 [IKEv1]Group = 88.215.27.14, IP = 88.215.27.14, QM FSM error (P2 struct &0xad825390, mess                                id 0xae7b95c7)!

Apr 22 11:56:52 [IKEv1]Group = 88.215.27.14, IP = 88.215.27.14, Removing peer from correlator table failed, no match!

Apr 22 11:56:52 [IKEv1]Group = 88.215.27.14, IP = 88.215.27.14, Session is being torn down. Reason: User Requested

Apr 22 11:57:22 [IKEv1]Group = 88.215.27.14, IP = 88.215.27.14, QM FSM error (P2 struct &0xaf1ba7a8, mess id 0x6e17a402

0 Helpful

Muhammad Azhar
Level 1
Level 1
In response to TRO Group

‎05-02-2013 05:39 AM

please look at following URL.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

...

QM FSM Error

The IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA,       and the QM FSM error message appears.

One possible reason is the proxy identities, such as interesting       traffic, access control list (ACL) or crypto ACL, do not match on both the       ends. Check the configuration on both the devices, and make sure that the       crypto ACLs match.

Another possible reason is mismatching of the transform set parameters.       Make sure that at both ends, VPN gateways use the same transform set with the       exact same parameters.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card