so ACL should be reversed on other side correct?

yes .. 

Hope that helps! If so, please rate.

no luck....

Nov 14 04:49:57 [IKEv1]IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=d4872899) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
%ASA-3-713902: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0xcb97ad80, mess id 0xd4872899)!
%ASA-3-713902: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!
%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 10.
%ASA-4-113019: Group = xx.xx.xx.xx, Username = xx.xx.xx.xx, IP = xx.xx.xx.xx, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0xcb97ad80, mess id 0xd4872899)!
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, IKE QM Initiator FSM error history (struct &0xcb97ad80) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, sending delete/delete with reason message
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, constructing blank hash payload
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, constructing IPSec delete payload
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, constructing qm hash payload
Nov 14 04:50:29 [IKEv1]IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=88053c7) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, IKE Deleting SA: Remote Proxy 192.168.4.0, Local Proxy 192.168.10.0
Nov 14 04:50:29 [IKEv1]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, IKE SA MM:00457b3e rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, IKE SA MM:00457b3e terminating: flags 0x0100c022, refcnt 0, tuncnt 0
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, sending delete/delete with reason message
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, constructing blank hash payload
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, constructing IKE delete payload
Nov 14 04:50:29 [IKEv1 DEBUG]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, constructing qm hash payload
Nov 14 04:50:29 [IKEv1]IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=321b1c8a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Nov 14 04:50:29 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xedaa416c
Nov 14 04:50:29 [IKEv1]Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Session is being torn down. Reason: Lost Service
Nov 14 04:50:29 [IKEv1]Ignoring msg to mark SA with dsID 90112 dead because SA deleted
Nov 14 04:50:29 [IKEv1]IP = xx.xx.xx.xx, Received encrypted packet with no matching SA, dropping

ACL on ASA:

access-list VPN-TRAFFIC; 2 elements; name hash: 0xb42654bc
access-list VPN-TRAFFIC line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.4.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0xe9319033
access-list VPN-TRAFFIC line 2 extended permit ip 192.168.10.0 255.255.255.0 192.168.4.0 255.255.255.0 log informational interval 300 (hitcnt=176) 0x73d7acbc

ACL on 1801 router:

Extended IP access list asa-router-vpn
10 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.4.0 0.0.0.255 192.168.20.0 0.0.0.255 (18 matches)

While generating interesting traffic on the ASA I temporary have:

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: xx.xx.xx.xx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Hi,

As per the logs it seems a Phase 2 error:

%ASA-3-713902: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0xcb97ad80, mess id 0xd4872899)!

Please ensure that both the peers have identical Phase 2 policies and also the crypto ACL on both the ends match.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Both crypto ACL (pasted earlier) and Phase 2 below seem to match (temporary tried with esp-3des below instead of aes but still in vain)

ASA

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address VPN-TRAFFIC
crypto map outside_map 10 set peer xx.xx.xx.xx
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xxipsec-attributes
ikev1 pre-shared-key *****

----------------------------------------------------------------------------------------------

1801

crypto ipsec transform-set ESP-AES-SHA esp-3des esp-sha-hmac

crypto map clientmap 3 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ESP-AES-SHA
match address asa-router-vpn

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp key ipsec address xx.xx.xx.xx

ok identified the issue to be related with multiple crypto map applied to the same dialer 1 interface.

how can I apply multiple crypto maps on the same interface as I need to allow both remote access VPN users and also site to site vpn on the same interface but both have different configurations and do not want them to conflict.

Thanks