Solved: Urgent!!L2L vpn ASA 5005 & 1841, issue QM FSM error

kflampouras · ‎03-09-2012

Hello to all,

We are facing an issue on a new l2l vpn connection between Asa 5005 & 1841 router.

crypto isakmp policy 100

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key * address aaa.aaa.aaa.aaa

crypto ipsec transform-set $$$_$$$$$ esp-3des esp-md5-hmac

crypto map BG 100 ipsec-isakmp

set peer aaa.aaa.aaa.aaa

set security-association lifetime seconds 28800

set transform-set $$$_$$$$$

set pfs group 2

match address 111

interface FastEthernet0/0.2

encapsulation dot1Q 3338

ip address aaa.aaa.aaa.aaa 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map BG 100

ip nat pool nat_pool xx.xx.xx.xx xx.xx.xx.xx prefix-length 29

# NOTE: 10.70.200.0/24 is correctly exempted from the above NAT translation

access-list 101 deny ip 10.70.200.0 0.0.0.255 any

access-list 101 permit ip 10.70.0.0 0.0.255.255 any

# NOTE: crypto ACL is correct

access-list 111 permit ip 10.70.200.0 0.0.0.255 host 172.40.10.100

I will

appreciate any urgent help.

Thank you.

acomiskey · ‎03-09-2012

Your crypto acl's should be exact mirrors of each other.

If your router acl is

access-list 111 permit ip 10.70.200.0 0.0.0.255 host 172.40.10.100

then your ASA acl should be

access-list outside_cryptomap_320 extended permit ip host 172.40.10.100 10.70.200.0 255.255.255.0

Give that a shot and see if it helps.

acomiskey · ‎03-09-2012

Your crypto acl's should be exact mirrors of each other.

If your router acl is

access-list 111 permit ip 10.70.200.0 0.0.0.255 host 172.40.10.100

then your ASA acl should be

access-list outside_cryptomap_320 extended permit ip host 172.40.10.100 10.70.200.0 255.255.255.0

Give that a shot and see if it helps.

kflampouras · ‎03-09-2012

Hi acomiskey,

Thanks for this valuable information