L2L Site VPN issue

Unanswered Question
May 28th, 2009
User Badges:

I have had a site that has worked with no problem until today. I am getting Phase 1 with no problem and have multiple IPSEC tunnels established. The problem I am having is with the remote site getting to a specific host. I am getting the following from my debugs. Any help is appreciated.


May 28 11:24:10 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0xd0b129b8, mess id 0x31fe72e1)!

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, IKE QM Initiator FSM error history (struct &0xd0b129b8) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

May 28 11:24:10 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy Z.Z.Z.0, Local Proxy Y.Y.Y.Y

May 28 11:24:10 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!

May 28 11:24:10 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb82af5cc

May 28 11:24:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

May 28 11:24:14 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf inside, IKE Peer X.X.X.X local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.0, Crypto map (fleet-map)

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, Oakley begin quick mode

May 28 11:24:14 [IKEv1 DECODE]: Group = X.X.X.X, IP = X.X.X.X, IKE Initiator starting QM: msg id = f0349ecc

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xcd4c329f

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, oakley constucting quick mode

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing IPSec SA payload

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing IPSec nonce payload

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing proxy ID

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, Transmitting Proxy Id:

Local host: Y.Y.Y.Y Protocol 0 Port 0

Remote subnet: Z.Z.Z.0 Mask 255.255.255.0 Protocol 0 Port 0

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

May 28 11:24:14 [IKEv1 DECODE]: Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending 1st QM pkt: msg id = f0349ecc

May 28 11:24:14 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f0349ecc) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
r-garrison Fri, 05/29/2009 - 14:03
User Badges:

Sounds a bit like your encryption domains (the ACLs attached to the crypto map) don't quite mirror each other. Is there a difference? Could be a subnet mask mistype or any number of small clerical errors.

Actions

This Discussion