L2L VPN Config Help - ASA5510 to 1720

mmurray · ‎10-13-2009

I am having a problem getting a site-to-site VPN config working. When I generate traffic from the 172.18.3.0 subnet to the 172.22.3.0 subnet I get the following error on the ASA:

ASA5510# Oct 13 18:25:23 [IKEv1]: Group = 203.33.116.209, IP = 203.33.116.209, QM FSM error (P2 struct &0x447ae48, mess id 0x1893f491)!

Oct 13 18:25:23 [IKEv1]: Group = 203.33.116.209, IP = 203.33.116.209, Removing peer from correlator table failed, no match!

The ISAKMP SAs attempt to be built on both the ASA and the 1720 but then error out and get deleted.

Configs and network diagram attached.

Herbert Baerten · ‎10-14-2009

On the ASA, you want the dynamic map to be last in the sequence of crypto map entries:

no crypto map vpnremote 10 ipsec-isakmp dynamic dynmap

crypto map vpnremote 65000 ipsec-isakmp dynamic dynmap

On the 1720, you need to apply the crypto map to the interface:

interface Ethernet0

crypto map VPNmap

And make sure that the ipsec parameters match, for now you have PFS configured on ASA but not on the 1720.

So e.g.

crypto map VPNmap 10 ipsec-isakmp

set pfs group2

If you still have a problem after that, please get "debug cry isa" and "debug cry ips" on IOS and "debug cry isa 10" and "debug cry ips 10" on ASA, at the same time.

hth

Herbert

mmurray · ‎10-14-2009

@Herbert:

The crypto map to the ethernet 0 interface did the trick. Thanks.

I'll check the pfs params and dynamic map as well.