Cisco ASA 5505 and Windows VPN Client -- QM FSM Error

Unanswered Question
Nov 27th, 2009
User Badges:

Greetings!


I have an ASA 5505 that I've configured with 3 site-to-site VPN tunnels (which are working perfectly), as well as a customized Remote Access VPN tunnel which works great with our XP clients that use the traditional Cisco VPN client software. However, I'm trying to move away from that as I begin upgrading users to Windows 7 x64 by converting to the built-in Windows client using L2TP/IPSec. To do this, I've followed the recommended Cisco guide (as well as a half dozen forum posts) and setup the DefaultRAGroup for this purpose.


However, I'm hitting a roadblock in my configuration in that my clients are immediately rejected with an Error 789, and the ASA reports a "QM FSM Error". I've searched and revealed that it's probably a mismatched crypto setting, but I've poured over documentation and can't figure out where I've gone wrong in my configs.


I should note that I'm using IAS for authentication off my Active Directory domain, and testing that from ASDM works great!


My ASA 5505 is running 8.2(1)11 software and ASDM 6.2(3).


I'm attaching the entire config file with passwords scrubbed and outside IP's replaced as 1.2.3.x or 4.5.6.x as appropriate. I would appreciate any feedback on where I'm going wrong.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Sun, 11/29/2009 - 21:09
User Badges:
  • Bronze, 100 points or more

QM FSM can occur for numerous reasons.  There is no way to determine what the problem might be without some debugging.  Please enable the following debug and provide the debug output:


debug crypto isakmp 254

muranskycotech Mon, 11/30/2009 - 11:06
User Badges:

Patrick, thanks for the suggestion. I've attached a log file containing the relevant log information. Here's the segments I feel are most relevant:


5|Nov 30 2009|13:47:10|713904|||||Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
7|Nov 30 2009|13:47:10|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing IPSec SA payload
7|Nov 30 2009|13:47:10|713066|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: dynmap
7|Nov 30 2009|13:47:10|715059|||||Group = DefaultRAGroup, IP = 1.2.3.4, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Nov 30 2009|13:47:10|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = mymap, seq = 20, ACL does not match proxy IDs src:1.2.3.4 dst:OMS-ASA
7|Nov 30 2009|13:47:10|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = mymap, seq = 20...
7|Nov 30 2009|13:47:10|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = mymap, seq = 10, ACL does not match proxy IDs src:1.2.3.4 dst:OMS-ASA
7|Nov 30 2009|13:47:10|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = mymap, seq = 10...
7|Nov 30 2009|13:47:10|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = mymap, seq = 5, ACL does not match proxy IDs src:1.2.3.4 dst:OMS-ASA
7|Nov 30 2009|13:47:10|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = mymap, seq = 5...
7|Nov 30 2009|13:47:10|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
7|Nov 30 2009|13:47:10|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Nov 30 2009|13:47:10|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, L2TP/IPSec session detected.


Also, even though it claims a Phase I completed, it is reporting these messages:


5|Nov 30 2009|13:47:09|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Nov 30 2009|13:47:09|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Nov 30 2009|13:47:09|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Nov 30 2009|13:47:09|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Nov 30 2009|13:47:09|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2



I appreciate any feedback and insights you have on this!

Attachment: 
muranskycotech Mon, 12/07/2009 - 08:25
User Badges:

Still looking for some additional assistance on this one... if anyone has any feedback on the attached config and log files, I appreciate it greatly!

muranskycotech Fri, 10/22/2010 - 06:45
User Badges:

I ended up rebuilding the tunnels from scratch confirming each one was matching all its parameters. It was a pain, but I ended up with a much cleaner setup in the end.

Actions

This Discussion