01-10-2008 10:02 AM - edited 02-21-2020 01:51 AM
Guys,
Hope you can help. I am getting this error
Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xc9d79d4e)!
Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!
Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xb8b49538)!
Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!
thats all it does no phase one negotaition or anything. Have checked the config with the other party over and over again but they just wont talk.
Any ideas what the error means
config
we have matching access lists at each end
crypto ipsec transform-set optaes esp-aes-256 esp-md5-hmac
crypto dynamic-map rtpdynmap 20 set transform-set optset
crypto map optmap 10 match address VPNGermany_Access
crypto map optmap 10 set peer 213.XXX.XXX.XXX
crypto map optmap 10 set transform-set optaes
crypto map optmap 10 set security-association lifetime seconds 86400
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
tunnel-group 213.XXX.XXX.XXX type ipsec-l2l
tunnel-group 213.XXX.XXX.XXX ipsec-attributes
cheers
Paul
pre-shared-key *
01-10-2008 01:27 PM
Hi
QM = Quick Mode = Phase 2.
Phase 1 is either Main Mode or aggresive mode.
So by the fact it is getting to QM that suggests phase 1 is working. What you do see if you do a "sh crypto isa sa" on the ASA ?
Can you check the phase 2 settings to ensure they match ie.
1) check your crypto map access-list and make sure that the local and remote subnet you have on your ASA matches the Astaro local and remote subnets
2) Explicitly set PFS in phase 2 and get them to do the same on the Astaro firewall.
HTH
Jon
01-11-2008 01:06 AM
Jon,
I get nothing at all when I do a sho crypto isakmp sa. hence the reason i though not even phase 1 was working.
The vendor at the other end of the tunnel has changed his SA lifetime and the tunnel has come up. Bit strange as both SA are now different. I will check this out and update the formum.
We had PFS off by the way we both confirmed that and had already double checked ACLS. So this will be interesting when i get back on site next week
Regards
Paul
01-11-2008 01:54 AM
change the group to 5 for aes-256.
-Rajesh P
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide