IPSEC VPN on ASA 8.0(2) request timed out

Unanswered Question
Aug 29th, 2007
User Badges:

I need to help in identifying what this warning message in my ASA logs say and what i would need to do inorder to correct this problem. I currently have an ASA firewall terminating my end of the VPN tunnel and a Multitech Firewall at my remote network. Below are the log entries from my ASA firewall:


3|Aug 29 2007|14:44:08|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Removing peer from correlator table failed, no match!

3|Aug 29 2007|14:44:08|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, QM FSM error (P2 struct &0xd575b350, mess id 0x103cc666)!

3|Aug 29 2007|14:44:08|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Removing peer from correlator table failed, no match!

3|Aug 29 2007|14:44:08|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, QM FSM error (P2 struct &0xd572e928, mess id 0x64598150)!

3|Aug 29 2007|14:44:08|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, QM FSM error (P2 struct &0xd57589a0, mess id 0xd837eb84)!

3|Aug 29 2007|14:43:43|713122|||IP = 207.224.xxx.xxx, Keep-alives configured on but peer does not support keep-alives (type = None)

3|Aug 29 2007|14:43:43|713119|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, PHASE 1 COMPLETED

4|Aug 29 2007|14:43:43|713903|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Freeing previously allocated memory for authorization-dn-attributes

4|Aug 29 2007|14:43:42|113019|||Group = 207.224.xxx.xxx, Username = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

07|14:43:33|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Removing peer from correlator table failed, no match!

3|Aug 29 2007|14:43:33|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, QM FSM error (P2 struct &0xd575aad8, mess id 0x4b2a62df)!

3|Aug 29 2007|14:43:33|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Removing peer from correlator table failed, no match!


And also I've noticed a Request timed out when i constantly ping a host in the remote network and this normaly happens during the this part of the log below:


3|Aug 29 2007|14:44:08|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, QM FSM error (P2 struct &0xd57589a0, mess id 0xd837eb84)!

3|Aug 29 2007|14:43:43|713122|||IP = 207.224.xxx.xxx, Keep-alives configured on but peer does not support keep-alives (type = None)

3|Aug 29 2007|14:43:43|713119|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, PHASE 1 COMPLETED

4|Aug 29 2007|14:43:43|713903|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Freeing previously allocated memory for authorization-dn-attributes

4|Aug 29 2007|14:43:42|113019|||Group = 207.224.xxx.xxx, Username = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3|Aug 29 2007|14:43:42|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, Removing peer from correlator table failed, no match!

3|Aug 29 2007|14:43:42|713902|||Group = 207.224.xxx.xxx, IP = 207.224.xxx.xxx, QM FSM error (P2 struct &0xd5663e58, mess id 0x3051851)!

3|Aug 29 2007|14:43:41|713122|||IP = 207.224.xxx.xxx, Keep-alives configured on but peer does not support keep-alives (type = None)



****************************


Reply from 192.168.105.xxx: bytes=32 time=339ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=332ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=326ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=325ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=331ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=324ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=334ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=339ms TTL=63

Request timed out.

Request timed out.

Reply from 192.168.105.xxx: bytes=32 time=347ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=337ms TTL=63

Reply from 192.168.105.xxx: bytes=32 time=338ms TTL=63

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Wed, 08/29/2007 - 08:06
User Badges:
  • Bronze, 100 points or more

Do you have a dynamic crypto-map attached to the crypto map on the ASA? Then check that the sequence number is higher for the dynamic crypto-map.


The Keep-alives messages should not be an issue.

brianbono Thu, 08/30/2007 - 04:49
User Badges:

anyways thanks for the help mattiaseriksson :)


i just took the:

crypto map outside_map 1 set pfs


and it finally worked :)

Actions

This Discussion