cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8515
Views
15
Helpful
26
Replies

ASA Site to Site VPN , not showing up

rsj
Level 1
Level 1

Hi There,

I was trouble shooting a L2l vpn and was puuting captures and checking acl ,suddenly the "show crypto ikev1 sa " does not show peer MM_Active and details .

Neither in ASDM under monitor for Site to Site its showing up.

I can see that the Object group and the Site2Site config is there in the ASDM , but what is happening 

26 Replies 26

here you go

local public  ip 24.32.62.12
remote public ip 185.41.216.7
local ACL ip 192.168.248.0
remote ACL ip 192.168.11.0
Crypto map (lanlab)

 

 

seem to me phase 2 is failing.

please do not forget to rate.

Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE QM Initiator FSM error history (struct &0x00002aaad680f490) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, sending delete/delete with reason message
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec delete payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload

 

what does this mean !! is there a way i can start to interpret and understand !!

secondly 

 

Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7441c89b)
Jan 15 13:42:55 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, QM FSM error (P2 struct &0x00002aaad680f490, mess id 0x51fcc798)!

 

What isQM FSM error

I am thankful to you .

 

"Give him food , he will eat one day!!"

"teach him to make , and he will make food for himself and others!!

 

thank you !! i will go through this doc carefully

:-):-):-):-):-):-):-):-):-)

please do not forget to rate.

 

 

 

QM FSM Error. The IPsec L2L VPN tunnel does not come up on the firewall or ASA, and the QM FSM error message appears. One possible reason is the proxy identities, such as interesting traffic, access control list (ACL) or crypto ACL, do not match on both the ends

please do not forget to rate.

Thankyou!! :)

is there a way to just debug a vpn tunnel and not get all the traffic from other tunnels that are up .

Just the tunnel that is down,is it possible

is there a way to just debug a vpn tunnel and not get all the traffic from other tunnels that are up .

Just the tunnel that is down,is it possible

debug crypto ikev1 127

debug crypto condition peer public-ip

or

you can capture the traffic too.

 

capture IPSECAP type isakmp interface outside

!

show capture IPSECAP decode

please do not forget to rate.

debug crypto condition peer public-ip what does this do as the machine is in production

 

secondly i ran debug crypto ipsec 127 but it gave a huge dump as i have 9 more tunnels going on!!!

 

it a rough patch !!! 

 

tunnel is MM_Active(both side ) but no traffic is passing .... 

and if i run debug i get all tunnels load !!!

any i have no idea why is this showing .. should it not show type in next coloum IPsec and ACLtoo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: