ASA to Astaro Security gateway

Unanswered Question
Jan 10th, 2008
User Badges:
  • Silver, 250 points or more

Guys,

Hope you can help. I am getting this error

Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xc9d79d4e)!

Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!

Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xb8b49538)!

Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!


thats all it does no phase one negotaition or anything. Have checked the config with the other party over and over again but they just wont talk.


Any ideas what the error means


config

we have matching access lists at each end

crypto ipsec transform-set optaes esp-aes-256 esp-md5-hmac

crypto dynamic-map rtpdynmap 20 set transform-set optset

crypto map optmap 10 match address VPNGermany_Access

crypto map optmap 10 set peer 213.XXX.XXX.XXX

crypto map optmap 10 set transform-set optaes

crypto map optmap 10 set security-association lifetime seconds 86400


crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

tunnel-group 213.XXX.XXX.XXX type ipsec-l2l

tunnel-group 213.XXX.XXX.XXX ipsec-attributes


cheers

Paul

pre-shared-key *

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/10/2008 - 13:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


QM = Quick Mode = Phase 2.


Phase 1 is either Main Mode or aggresive mode.


So by the fact it is getting to QM that suggests phase 1 is working. What you do see if you do a "sh crypto isa sa" on the ASA ?


Can you check the phase 2 settings to ensure they match ie.


1) check your crypto map access-list and make sure that the local and remote subnet you have on your ASA matches the Astaro local and remote subnets


2) Explicitly set PFS in phase 2 and get them to do the same on the Astaro firewall.


HTH


Jon

bigcappa1 Fri, 01/11/2008 - 01:06
User Badges:
  • Silver, 250 points or more

Jon,

I get nothing at all when I do a sho crypto isakmp sa. hence the reason i though not even phase 1 was working.

The vendor at the other end of the tunnel has changed his SA lifetime and the tunnel has come up. Bit strange as both SA are now different. I will check this out and update the formum.

We had PFS off by the way we both confirmed that and had already double checked ACLS. So this will be interesting when i get back on site next week


Regards

Paul

Sec IT Fri, 01/11/2008 - 01:54
User Badges:

change the group to 5 for aes-256.


-Rajesh P

Actions

This Discussion