L2L VPN Config Help - ASA5510 to 1720

Unanswered Question

I am having a problem getting a site-to-site VPN config working. When I generate traffic from the 172.18.3.0 subnet to the 172.22.3.0 subnet I get the following error on the ASA:


ASA5510# Oct 13 18:25:23 [IKEv1]: Group = 203.33.116.209, IP = 203.33.116.209, QM FSM error (P2 struct &0x447ae48, mess id 0x1893f491)!

Oct 13 18:25:23 [IKEv1]: Group = 203.33.116.209, IP = 203.33.116.209, Removing peer from correlator table failed, no match!


The ISAKMP SAs attempt to be built on both the ASA and the 1720 but then error out and get deleted.


Configs and network diagram attached.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Wed, 10/14/2009 - 02:38
User Badges:
  • Cisco Employee,

On the ASA, you want the dynamic map to be last in the sequence of crypto map entries:


no crypto map vpnremote 10 ipsec-isakmp dynamic dynmap


crypto map vpnremote 65000 ipsec-isakmp dynamic dynmap


On the 1720, you need to apply the crypto map to the interface:


interface Ethernet0

crypto map VPNmap


And make sure that the ipsec parameters match, for now you have PFS configured on ASA but not on the 1720.

So e.g.


crypto map VPNmap 10 ipsec-isakmp

set pfs group2


If you still have a problem after that, please get "debug cry isa" and "debug cry ips" on IOS and "debug cry isa 10" and "debug cry ips 10" on ASA, at the same time.


hth

Herbert

Actions

This Discussion