06-09-2008 06:46 AM - edited 03-11-2019 05:56 AM
Hi All,
Users are not able to ping servers on the LAN when connected via VPN to ASA5510 configured are Active/Standby failover pair. They could connect via VPN but couldn't PING or launch Microsoft Outlook. I included the command "crypto isakmp nat-traversal 20" but users still could PING. I increased the value to 360. Still no luck.
Also, four out of the six L2L tunnels came up and I could pass traffic over them. But two came up and goes down in less than half a second. For the remaining two, I got the following errors in the ASA log:
4|Jun 07 2008|15:58:44|113019|||||Group = 220.x.x.194, Username = 220.x.x.194, IP = SHANGHAI-PIX, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error
3|Jun 07 2008|15:58:44|713902|||||Group = 220.x.x.194, IP = 220.x.x.194, Removing peer from correlator table failed, no match!
1|Jun 07 2008|15:58:44|713900|||||Group = 220.x.x.194, IP = 220.x.x.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
3|Jun 07 2008|15:58:44|713902|||||Group = 220.x.x.194, IP = 220.x.x.194, QM FSM error (P2 struct &0xd5830b58, mess id 0x8508c326)!
From the log in the ASDM, I was asked to contact the Cisco TAC if the problem persists.
Any ideas on what I might be doing wrong would be much appreciated.
Find attached my config as well.
Best regards.
Solved! Go to Solution.
06-09-2008 12:45 PM
WoW! pretty long config there :).
Try to check your split tunnel ACLs, also what is the point of split tunneling (specified) if your ACL = any? Why not leave out the split tunneling altogether?
Also for the Site to Site VPNs, why do you have two crypto maps for each site? 3DES/DES?
Seems to be a Phase 2 mismatch. Also make sure PFS is enabled on both sides and using the same DH group (phase 2 DH group).
Regards
Farrukh
06-09-2008 12:45 PM
WoW! pretty long config there :).
Try to check your split tunnel ACLs, also what is the point of split tunneling (specified) if your ACL = any? Why not leave out the split tunneling altogether?
Also for the Site to Site VPNs, why do you have two crypto maps for each site? 3DES/DES?
Seems to be a Phase 2 mismatch. Also make sure PFS is enabled on both sides and using the same DH group (phase 2 DH group).
Regards
Farrukh
06-12-2008 11:48 PM
Thanks for your response Farrukh. I have modified the crypto maps.
I want split tunneling for the VPN clients. How do I tidy up my config in order to allow split tunneling?
Best regards.
06-14-2008 06:29 AM
You can have a look at the following two links for split tunneling examples on the ASA/PIX:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
Regards
Farrukh
06-15-2008 04:54 AM
Hi,
I have a doubt on your ST acl's...
That's y u r facing QM FSM errors.
do mention your networks in ST Acls ( without use any)
HTH
07-11-2008 01:11 AM
Thanks everyone for your help.
I removed the "any" and specified the networks I want VPN users to access behind the ASA, disabled PFS for the site-to-site VPN and removed duplicated crypto maps and a few more tweaking and that fixed the problem.
Regards.
06-16-2008 01:52 AM
after connecting the through the vpn clinet just check the statistics of the vpn client that whether you are getting the required routes in that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: