Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

2 VPN Tunnels on a single Pix Firewall

I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.

On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).

On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!

Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.0.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Site HK - PIX1(192.168.0.1)

crypto ipsec transform-set chevvie esp-des esp-md5-hmac

(crypto map for existing VPN (VPN1)

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 192.168.0.2

crypto map transam 1 set transform-set chevvie

(New Crpto Map for new VPN (VPN2)

crypto map transam 2 ipsec-isakmp

crypto map transam 2 match address 101

crypto map transam 2 set peer 192.168.0.3

crypto map transam 2 set transform-set chevvie

crypto map transam interface outside

isakmp enable outside

isakmp key ****** address 192.168.0.2 netmask 255.255.255.255

isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

Site - Leeds PIX2 (192.168.0.3)

crypto ipsec transform-set ford esp-des esp-md5-hmac

crypto map VPNHK 2 match address outside_crypto_acl

crypto map VPNHK 2 set peer 192.168.0.1

crypto map VPNHK 2 set transform-set ford

crypto map VPNHK interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

tunnel-group 192.168.0.1 type ipsec-l2l

tunnel-group 192.168.0.1 ipsec-attributes

pre-shared-key ev0lut10n

sysopt connection permit-ipsec

Your assistance will be grately appreciated.

6 REPLIES
Community Member

Re: 2 VPN Tunnels on a single Pix Firewall

check the key, your key is wrong in the new config

Community Member

Re: 2 VPN Tunnels on a single Pix Firewall

The preshared key is fine. I have changed it but the error persists.

Re: 2 VPN Tunnels on a single Pix Firewall

Hi Donald

tunnel-group 192.168.0.1 ipsec-attributes

pre-shared-key ev0lut10n

isakmp key ****** address 192.168.0.2 netmask 255.255.255.255

Try changing the PSK in above lines as 1 and try again

Regards

Community Member

Re: 2 VPN Tunnels on a single Pix Firewall

PSK passwords set to the same. No joy. Same error message.

Re: 2 VPN Tunnels on a single Pix Firewall

In this case, I suggest upgrading PIX IOS 6.1(2) to 6.3(5)

Also your match-acl for tunnel 192.168.0.2 and 192.168.0.3 are the same (101). Use different match acls for different tunnels

Community Member

Re: 2 VPN Tunnels on a single Pix Firewall

If I understand correctly, you new VPN tunnel, "protects" exactly the same traffic (same access-list). How if your firewall going to know which crypto map to follow? [i guess if they are the same it will use the map number.

Have tried to add to crypto map peers under the same crypto map and see if it works?

crypto ipsec transform-set chevvie esp-des esp-md5-hmac

(crypto map for existing VPN (VPN1)

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 192.168.0.2

crypto map transam 1 set peer 192.168.0.3

crypto map transam 1 set transform-set chevvie

144
Views
0
Helpful
6
Replies
CreatePlease to create content