12-29-2009 02:11 PM
Hi All,
I need help in troubbleshooting this issue: Site2Site vpn between an Asa 5520 and a Linux Box is up as shown
ciscoasa# sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 82.112.199.148
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 82.88.171.211
access-list outside_1_cryptomap permit ip 10.15.0.0 255.255.0.0 10.57.6.0 255.255.254.0
local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.57.6.0/255.255.254.0/0/0)
current_peer: 82.112.199.148
#pkts encaps: 1181, #pkts encrypt: 1181, #pkts digest: 1181
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1181, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 82.88.171.211, remote crypto endpt.: 82.112.199.148
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 08F0DA33
inbound esp sas:
spi: 0x775D8D2C (2002619692)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/746)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x08F0DA33 (150002227)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 12288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914966/746)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
but i get the following error:
ciscoasa# debug crypto isakmp
ciscoasa# Dec 29 22:10:11 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc86c5b30, mess id 0xdec7ea9b)!
Dec 29 22:10:11 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing p eer from correlator table failed, no match!
Dec 29 22:10:21 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0xdec7ea9b)!
Dec 29 22:10:21 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!
Dec 29 22:10:33 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0x86e6402c)!
Dec 29 22:10:33 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!
Dec 29 22:10:43 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0x86e6402c)!
Dec 29 22:10:43 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!
Any help would be appreciated.
12-31-2009 05:22 AM
Hi,
The problem was regarding the policy applied by the linux Kernel.
Riccardo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: