cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2264
Views
0
Helpful
1
Replies

Site2Site between ASA & Linux Racoon

riccardo-patti
Level 1
Level 1

Hi All,

I need help in troubbleshooting this issue: Site2Site vpn between an Asa 5520 and a Linux Box is up as shown

ciscoasa# sh crypto isa sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 82.112.199.148

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 82.88.171.211

      access-list outside_1_cryptomap permit ip 10.15.0.0 255.255.0.0 10.57.6.0 255.255.254.0

      local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.57.6.0/255.255.254.0/0/0)

      current_peer: 82.112.199.148

      #pkts encaps: 1181, #pkts encrypt: 1181, #pkts digest: 1181

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1181, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 82.88.171.211, remote crypto endpt.: 82.112.199.148

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 08F0DA33

    inbound esp sas:

      spi: 0x775D8D2C (2002619692)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 12288, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/746)

         IV size: 8 bytes

         replay detection support: Y

Anti replay bitmap:

        0x00000000 0x00000001

    outbound esp sas:

      spi: 0x08F0DA33 (150002227)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 12288, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914966/746)

         IV size: 8 bytes

         replay detection support: Y

Anti replay bitmap:

        0x00000000 0x00000001

but i get the following error:

ciscoasa# debug crypto isakmp

ciscoasa# Dec 29 22:10:11 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148,                                               QM FSM error (P2 struct &0xc86c5b30, mess id 0xdec7ea9b)!

Dec 29 22:10:11 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing p                                              eer from correlator table failed, no match!

Dec 29 22:10:21 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0xdec7ea9b)!

Dec 29 22:10:21 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!

Dec 29 22:10:33 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0x86e6402c)!

Dec 29 22:10:33 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!

Dec 29 22:10:43 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0x86e6402c)!

Dec 29 22:10:43 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!

Any help would be appreciated.

1 Reply 1

riccardo-patti
Level 1
Level 1

Hi,

The problem was regarding the policy applied by the linux Kernel.

Riccardo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: