Core issue

The dynamic-to-static tunnel fails to come up on the PIX/Cisco Adaptive Security Appliance (ASA), and the debug output shows:

IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)

[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

The dynamic-to-static VPN tunnel can fail to come up on the PIX/ASA if dynamic crypto map comes before static crypto map in the sequence, as this example output shows:

crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto dynamic-map cisco 1 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic cisco
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 101
crypto map newmap 40 set peer 4.4.4.4
crypto map newmap 40 set transform-set myset
crypto map newmap interface outside

In this example, if the remote peer 4.4.4.4 tries to initiate a connection, the tunnel does not come up because it hits the dynamic map first. With no match according to the dynamic crypto map, the packet is dropped.

Resolution

In order to resolve this issue, assign a higher sequence number to the dynamic crypto map, as this example output shows:

crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto dynamic-map cisco 1 set transform-set myset
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 101
crypto map newmap 40 set peer x.x.x.x
crypto map newmap 40 set transform-set myset
crypto map newmap 65525 ipsec-isakmp dynamic cisco
crypto map newmap interface outside

For additional information on how to configure a dynamic-to-static VPN tunnel between the PIX and ASA, refer to PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example.