I am also having trouble with a site to site VPN (ASA 5505 - ASA 5510)

ronaldwillome · ‎05-12-2011

I have one side of the config available to me, but the problem we are having is an error that continues to pop up:

May 12 03:49:36 [IKEv1]: Group = 163.164.224.23, IP = 163.164.224.23, QM FSM error (P2 struct &0xc95963a0, mess id 0xedb82b5d)!

May 12 03:49:36 [IKEv1]: Group = 163.164.224.23, IP = 163.164.224.23, Removing peer from correlator table failed, no match!

We are not running PFS, and since we both have ASA, we have the identity set to the IP addresses.

We've also cleared out the crypto isakmp sa then tried to bring up the connection.

We are also only doing static peers so this is not the issue either.

The only other thing we can confirm is that neither one of us can figure this out.

Any thoughts on where to start? We've been through our configs several time and we don't see a difference.

The only thing different between us is that I have an ASA 5505 and he has an ASA 5510.

We have it configured for one customer, while they have multiple customer's on theirs.

Any advice would be most appreciated.

Also, if you require the configuration, please let me know and I will attach it to the post.

Thank you

Thotsaphon Lueangwattanaphong · ‎05-12-2011

Hi,

Please post the configuration on both sites.

Toshi

craig bache · ‎05-12-2011

Hi

One possible reason is the proxy identities, such as interesting traffic, access control list (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.

Another possible reason is mismatching of the transform set parameters. Make sure that at both ends, VPN gateways use the same transform set with the exact same parameters.

Regards