l2tp/ipsec

tarek977 · ‎12-17-2003

dears

I have problem when I using Cisco vpn client to connect to Cisco 3000 concentrator using l2tp/ipsec

I receive the following error

I know where is the error in log file but I can not do any thing to resolve it

I will make the log with red color

can any one help me

where IP address of public interface :100.100.100.100

client IP address : 100.100.100.100.105

concentrator configuration :

ika : IKE-3DES-MD5-RSA

SA : ESP-L2TP-TRANSPORT

group name : tamseel

user : cert_user

using certificate

not NATING

-----------------------------------------------------------

concentrator log for the connection

10330 12/10/2003 14:31:20.710 SEV=5 IKE/21 RPT=415 100.100.100.105

No Group found by matching IP Address of Cert peer 100.100.100.105

10331 12/10/2003 14:31:20.710 SEV=5 CERT/106 RPT=24

Group not found for cert peer 100.100.100.105 using group matching rules

10332 12/10/2003 14:31:20.710 SEV=5 IKE/20 RPT=402 100.100.100.105

No Group found by matching OU(s) from ID payload:

Unknown

10333 12/10/2003 14:31:20.960 SEV=5 IKE/79 RPT=411 100.100.100.105

Group [tamseel]

Validation of certificate successful

(CN=tradews205, SN=1EDE62EC00000000000A)

10335 12/10/2003 14:31:27.960 SEV=3 AUTH/5 RPT=42 100.100.100.105

Authentication rejected: Reason = Invalid password

handle = 559, server = Internal, user = cert_user, domain = <not specified>

10337 12/10/2003 14:31:38.060 SEV=4 IKE/52 RPT=35 100.100.100.105

Group [tamseel] User [cert_user]

User (cert_user) authenticated.

10338 12/10/2003 14:31:38.140 SEV=5 IKE/184 RPT=35 100.100.100.105

Group [tamseel] User [cert_user]

Client OS: N/A

Client Application Version: 3.5.4 (Rel)

10340 12/10/2003 14:31:39.200 SEV=4 IKE/119 RPT=383 100.100.100.105

Group [tamseel] User [cert_user]

PHASE 1 COMPLETED

10341 12/10/2003 14:31:39.210 SEV=5 IKE/25 RPT=388 100.100.100.105

Group [tamseel] User [cert_user]

Received remote Proxy Host data in ID Payload:

Address 172.16.2.100, Protocol 0, Port 0

10344 12/10/2003 14:31:39.210 SEV=5 IKE/24 RPT=382 100.100.100.105

Group [tamseel] User [cert_user]

Received local Proxy Host data in ID Payload:

Address 100.100.100.100, Protocol 0, Port 0

10347 12/10/2003 14:31:39.210 SEV=4 IKE/1 RPT=370 100.100.100.105

Group [tamseel] User [cert_user]

Received invalid phase 2 L2TP/IPSec Responder ID payload

Expected ID: Type 1, Proto 17, Port 1701, Addr 100.100.100.100

Received ID: Type 1, Proto 0, Port 0, Addr 100.100.100.100

10351 12/10/2003 14:31:39.210 SEV=4 IKEDBG/0 RPT=372

QM FSM error (P2 struct &0x355fba8, mess id 0x90bcbbd1)!

10352 12/10/2003 14:31:39.210 SEV=4 IKEDBG/65 RPT=489 100.100.100.105

Group [tamseel] User [cert_user]

IKE QM Responder FSM error history (struct &0x355fba8)

<state>, <event>:

QM_DONE, EV_ERROR

QM_BLD_MSG2, EV_NEGO_SA

QM_BLD_MSG2, EV_IS_REKEY

QM_BLD_MSG2, EV_CONFIRM_SA

jsivulka · ‎12-23-2003

QM FSM stands for Quick Mode Finite State Machine. The encryption process consists of a series of such "finite state machines" and each FSM accepts input from the previous FSM. The QM FSM error is not sufficient to put a fingure on the exact problem. You could recheck your configuration and also look for bugs that might be causing this problem. However, another possibility exists if you upgraded your VPN client recently. We started getting similar messages soon after we upgraded but they went away after the first reload. If your VPN is getting established, I guess you could safely ignore the messages.