Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
4
Replies

ASDM Erros Logs on VPN Tunnel

Eduard A.
Level 1
Level 1

‎04-10-2020 05:42 PM

What could cause these following errors? This what happens before I see this:

I turn on my remote computer internet

I connect to cisco anyconnect

I start to ping subnets on the other side of an S2S vpn

Pings start to fail, I logged in to the ASDM(this ASDM is my RA server) then I will see these errors:

 

5: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x00007f7e0a9ce9a0, mess id 0xf58c1685)!
4: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!
3: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= CMAP_1. 2: Map Sequence Number = 40.
1: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x00007f7e0ac18e00, mess id 0xab416e0c)!

 

Weirdly enough after 3 minutes the tunnel goes up and running with no problems.

Labels:
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎04-11-2020 04:41 AM

You need to get debug crypto isa from the cli to see what happens when it
fails.

**** please remember to rate useful posts
0 Helpful

Eduard A.
Level 1
Level 1
In response to Mohammed al Baqari

‎04-12-2020 05:37 PM

Hi Mohammed, appreciate your reply. I am completely lost in this one, I have been troubleshooting it for weeks now and been posting in this community couple of times. The scenario is, if the clear crypto isakmp sa is issued the whole HUB and SPOKE vpn traffic acts as expected not a single problem at all. But, if the tunnel is left idle for sometime, communication on SPOKE3 becomes one way, no one can communicate to it until SPOKE3 initiate the traffic, this is the only way PHASE 2 becomes completed again. I have red 50 or more articles now about this and tried every solution stated to no avail. I would prefer the vpn not working at all than working and while having this issue, please help. Attached is our ASAs versions and topology and here is the logs of debug crypto ikev1 127 in the HUB when the tunnel is left idle and ping from internal network of SPOKE1 is issued going to internal network of SPOKE3, its always like that after all adjustments I tried:

 

Apr 13 07:25:42 [IKEv1]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE Initiator: New Phase 2, Intf OUTSIDE_1, IKE Peer (SPK3 public IP) local Proxy Address 10.10.7.0, remote Proxy Address 10.30.10.0, Crypto map (CMAP_1)
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), Oakley begin quick mode
Apr 13 07:25:42 [IKEv1 DECODE]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE Initiator starting QM: msg id = a44f8b3e
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE got SPI from key engine: SPI = 0xdf1156ab
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), oakley constructing quick mode
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing blank hash payload
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing IPSec SA payload
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing IPSec nonce payload
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing proxy ID
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), Transmitting Proxy Id:
Local subnet: 10.10.7.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.30.10.0 Mask 255.255.255.0 Protocol 0 Port 0
Apr 13 07:25:42 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing qm hash payload
Apr 13 07:25:42 [IKEv1 DECODE]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE Initiator sending 1st QM pkt: msg id = a44f8b3e
Apr 13 07:25:42 [IKEv1]IP = (SPK3 public IP), IKE_DECODE SENDING Message (msgid=a44f8b3e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), Pitcher: received key delete msg, spi 0x5dfb282c
Apr 13 07:25:55 [IKEv1]Group = (SPK1 public IP), IP = (SPK1 public IP), Connection terminated for peer (SPK1 public IP). Reason: IPSec SA Idle Timeout Remote Proxy 10.10.0.0, Local Proxy 10.10.38.0
Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), sending delete/delete with reason message
Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), constructing blank hash payload
Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), constructing IPSec delete payload
Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), constructing qm hash payload
Apr 13 07:25:55 [IKEv1]IP = (SPK1 public IP), IKE_DECODE SENDING Message (msgid=308b10dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), Active unit receives a delete event for remote peer (SPK1 public IP).

Apr 13 07:25:55 [IKEv1 DEBUG]Group = (SPK1 public IP), IP = (SPK1 public IP), IKE Deleting SA: Remote Proxy 10.10.38.0, Local Proxy 10.10.0.0
Apr 13 07:25:55 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x5dfb282c
Apr 13 07:25:59 [IKEv1]Group = (SPK3 public IP), IP = (SPK3 public IP), QM FSM error (P2 struct &0x00007f7e0b52cf80, mess id 0x9e83612)!
Apr 13 07:25:59 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE QM Initiator FSM error history (struct &0x00007f7e0b52cf80) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Apr 13 07:25:59 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), sending delete/delete with reason message
Apr 13 07:25:59 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing blank hash payload
Apr 13 07:25:59 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing IPSec delete payload
Apr 13 07:25:59 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing qm hash payload
Apr 13 07:25:59 [IKEv1]IP = (SPK3 public IP), IKE_DECODE SENDING Message (msgid=dbb6f619) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 13 07:25:59 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE Deleting SA: Remote Proxy 192.168.185.0, Local Proxy 10.10.32.0
Apr 13 07:25:59 [IKEv1]Group = (SPK3 public IP), IP = (SPK3 public IP), Removing peer from correlator table failed, no match!
Apr 13 07:25:59 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xa467bdff
Apr 13 07:26:14 [IKEv1]Group = (SPK3 public IP), IP = (SPK3 public IP), QM FSM error (P2 struct &0x00007f7e0c5baa10, mess id 0xa44f8b3e)!
Apr 13 07:26:14 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE QM Initiator FSM error history (struct &0x00007f7e0c5baa10) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Apr 13 07:26:14 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), sending delete/delete with reason message
Apr 13 07:26:14 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing blank hash payload
Apr 13 07:26:14 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing IPSec delete payload
Apr 13 07:26:14 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), constructing qm hash payload
Apr 13 07:26:14 [IKEv1]IP = (SPK3 public IP), IKE_DECODE SENDING Message (msgid=d7eb7703) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 13 07:26:14 [IKEv1 DEBUG]Group = (SPK3 public IP), IP = (SPK3 public IP), IKE Deleting SA: Remote Proxy 10.30.10.0, Local Proxy 10.10.7.0
Apr 13 07:26:14 [IKEv1]Group = (SPK3 public IP), IP = (SPK3 public IP), Removing peer from correlator table failed, no match!
Apr 13 07:26:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdf1156ab
Apr 13 07:26:20 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

 

Thanks!

Preview file
123 KB
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Eduard A.

‎04-12-2020 10:06 PM

It seems that your peer isn't sending response to QM message 1. Check the
messages on the peer
0 Helpful

Eduard A.
Level 1
Level 1
In response to Mohammed al Baqari

‎04-13-2020 08:37 PM

That brings me to another question, I am not seeing logs on the FTD Spokes after issuing the debug crypto ikev1 127 command, any thoughts?

0 Helpful
Customers Also Viewed These Support Documents