cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
15
Helpful
26
Replies
Rising star

Re: ASA Site to Site VPN , not showing up

here you go

local public  ip 24.32.62.12
remote public ip 185.41.216.7
local ACL ip 192.168.248.0
remote ACL ip 192.168.11.0
Crypto map (lanlab)

 

 

seem to me phase 2 is failing.

please do not forget to rate.
rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE QM Initiator FSM error history (struct &0x00002aaad680f490) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, sending delete/delete with reason message
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec delete payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload

 

what does this mean !! is there a way i can start to interpret and understand !!

secondly 

 

Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7441c89b)
Jan 15 13:42:55 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, QM FSM error (P2 struct &0x00002aaad680f490, mess id 0x51fcc798)!

 

What isQM FSM error

Highlighted
Rising star

Re: ASA Site to Site VPN , not showing up

rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

I am thankful to you .

 

"Give him food , he will eat one day!!"

"teach him to make , and he will make food for himself and others!!

 

thank you !! i will go through this doc carefully

Rising star

Re: ASA Site to Site VPN , not showing up

:-):-):-):-):-):-):-):-):-)

please do not forget to rate.
Rising star

Re: ASA Site to Site VPN , not showing up

 

 

 

QM FSM Error. The IPsec L2L VPN tunnel does not come up on the firewall or ASA, and the QM FSM error message appears. One possible reason is the proxy identities, such as interesting traffic, access control list (ACL) or crypto ACL, do not match on both the ends

please do not forget to rate.
rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

Thankyou!! :)

rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

is there a way to just debug a vpn tunnel and not get all the traffic from other tunnels that are up .

Just the tunnel that is down,is it possible

rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

is there a way to just debug a vpn tunnel and not get all the traffic from other tunnels that are up .

Just the tunnel that is down,is it possible

Everyone's tags (1)
Rising star

Re: ASA Site to Site VPN , not showing up

debug crypto ikev1 127

debug crypto condition peer public-ip

or

you can capture the traffic too.

 

capture IPSECAP type isakmp interface outside

!

show capture IPSECAP decode

please do not forget to rate.
rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

debug crypto condition peer public-ip what does this do as the machine is in production

 

secondly i ran debug crypto ipsec 127 but it gave a huge dump as i have 9 more tunnels going on!!!

 

it a rough patch !!! 

 

tunnel is MM_Active(both side ) but no traffic is passing .... 

and if i run debug i get all tunnels load !!!

rsj Beginner
Beginner

Re: ASA Site to Site VPN , not showing up

any i have no idea why is this showing .. should it not show type in next coloum IPsec and ACLtoo

Everyone's tags (1)