Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L Site VPN issue

I have had a site that has worked with no problem until today. I am getting Phase 1 with no problem and have multiple IPSEC tunnels established. The problem I am having is with the remote site getting to a specific host. I am getting the following from my debugs. Any help is appreciated.

May 28 11:24:10 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, QM FSM error (P2 struct &0xd0b129b8, mess id 0x31fe72e1)!

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, IKE QM Initiator FSM error history (struct &0xd0b129b8) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

May 28 11:24:10 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

May 28 11:24:10 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy Z.Z.Z.0, Local Proxy Y.Y.Y.Y

May 28 11:24:10 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match!

May 28 11:24:10 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb82af5cc

May 28 11:24:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

May 28 11:24:14 [IKEv1]: Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf inside, IKE Peer X.X.X.X local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.0, Crypto map (fleet-map)

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, Oakley begin quick mode

May 28 11:24:14 [IKEv1 DECODE]: Group = X.X.X.X, IP = X.X.X.X, IKE Initiator starting QM: msg id = f0349ecc

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xcd4c329f

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, oakley constucting quick mode

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing IPSec SA payload

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing IPSec nonce payload

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing proxy ID

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, Transmitting Proxy Id:

Local host: Y.Y.Y.Y Protocol 0 Port 0

Remote subnet: Z.Z.Z.0 Mask 255.255.255.0 Protocol 0 Port 0

May 28 11:24:14 [IKEv1 DEBUG]: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

May 28 11:24:14 [IKEv1 DECODE]: Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending 1st QM pkt: msg id = f0349ecc

May 28 11:24:14 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f0349ecc) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160

1 REPLY
New Member

Re: L2L Site VPN issue

Sounds a bit like your encryption domains (the ACLs attached to the crypto map) don't quite mirror each other. Is there a difference? Could be a subnet mask mistype or any number of small clerical errors.

139
Views
0
Helpful
1
Replies