01-10-2019 04:14 AM
Hi There,
I was trouble shooting a L2l vpn and was puuting captures and checking acl ,suddenly the "show crypto ikev1 sa " does not show peer MM_Active and details .
Neither in ASDM under monitor for Site to Site its showing up.
I can see that the Object group and the Site2Site config is there in the ASDM , but what is happening
Solved! Go to Solution.
01-15-2019 09:19 AM
here you go
local public ip 24.32.62.12
remote public ip 185.41.216.7
local ACL ip 192.168.248.0
remote ACL ip 192.168.11.0
Crypto map (lanlab)
seem to me phase 2 is failing.
01-15-2019 09:23 AM
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, IKE QM Initiator FSM error history (struct &0x00002aaad680f490) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, sending delete/delete with reason message
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing blank hash payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing IPSec delete payload
Jan 15 13:42:55 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, constructing qm hash payload
what does this mean !! is there a way i can start to interpret and understand !!
secondly
Jan 15 13:42:37 [IKEv1 DEBUG]Group = 24.32.62.12, IP = 24.32.62.12, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7441c89b)
Jan 15 13:42:55 [IKEv1]Group = 24.32.62.12, IP = 24.32.62.12, QM FSM error (P2 struct &0x00002aaad680f490, mess id 0x51fcc798)!
What isQM FSM error
01-15-2019 09:25 AM
here is a good link for you
01-15-2019 09:29 AM
I am thankful to you .
"Give him food , he will eat one day!!"
"teach him to make , and he will make food for himself and others!!
thank you !! i will go through this doc carefully
01-15-2019 09:30 AM
:-):-):-):-):-):-):-):-):-)
01-15-2019 09:32 AM
QM FSM Error. The IPsec L2L VPN tunnel does not come up on the firewall or ASA, and the QM FSM error message appears. One possible reason is the proxy identities, such as interesting traffic, access control list (ACL) or crypto ACL, do not match on both the ends
01-15-2019 09:36 AM
Thankyou!! :)
01-16-2019 07:11 AM
is there a way to just debug a vpn tunnel and not get all the traffic from other tunnels that are up .
Just the tunnel that is down,is it possible
01-16-2019 07:11 AM
is there a way to just debug a vpn tunnel and not get all the traffic from other tunnels that are up .
Just the tunnel that is down,is it possible
01-16-2019 07:17 AM
debug crypto ikev1 127
debug crypto condition peer public-ip
or
you can capture the traffic too.
capture IPSECAP type isakmp interface outside
!
show capture IPSECAP decode
01-16-2019 07:41 AM
debug crypto condition peer public-ip what does this do as the machine is in production
secondly i ran debug crypto ipsec 127 but it gave a huge dump as i have 9 more tunnels going on!!!
it a rough patch !!!
tunnel is MM_Active(both side ) but no traffic is passing ....
and if i run debug i get all tunnels load !!!
01-16-2019 07:47 AM
any i have no idea why is this showing .. should it not show type in next coloum IPsec and ACLtoo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide