Solved: Site to Site and Remote Access VPN together on ASA 5505

rubendehaas · ‎11-09-2010

Hi,

I've tried to set up a new Site to Site VPN on a ASA5505 where there was already a Remote Access VPN on it.

After adding the new configuration lines I got the follwoing message when I debug:

Nov 04 07:06:06 [IKEv1]: Group = <OUTSIDE IP ADDRESS OF OTHER SIDE TUNNEL>, IP = <OUTSIDE IP ADDRESS OF OTHER SIDE TUNNEL>, QM FSM error (P2 struct &0xd91a4d10, mess id 0xeac05ec0)!

Nov 04 07:04:36 [IKEv1]: Group = <OUTSIDE IP ADDRESS OF OTHER SIDE TUNNEL>, IP = <OUTSIDE IP ADDRESS OF OTHER SIDE TUNNEL>, Removing peer from correlator table failed, no match!

Does anybody know what is wrong? And what to change in the config?

Thanks in advance,

Ruben

System Engineer at Conscia Nederland: www.conscia.com/nl/

Federico Coto Fajardo · ‎11-09-2010

Hi,

If the ASA had a Remote Access VPN and you're adding a new Site-to-Site you need to make sure that the priority for the crypto map is lower for the new added Site-to-Site.This is because otherwise the traffic will always try to match the remote-access tunnel.You can verify this with the command ''sh run cry map''

Federico.

View solution in original post

Federico Coto Fajardo · ‎11-09-2010

Hi,

If the ASA had a Remote Access VPN and you're adding a new Site-to-Site you need to make sure that the priority for the crypto map is lower for the new added Site-to-Site.This is because otherwise the traffic will always try to match the remote-access tunnel.You can verify this with the command ''sh run cry map''

Federico.