Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-2-Site Vpn

Hello,

I want to establish vpn  in between   ASA ------- other vendor Firewall

I m facing issues in phase 2 of IPsec vpn connection, Attached are the debug logs from ASA.I found the QM FSM error in the logs, Cisco Docs says the solution for this error: that both side access-list should match and transform-set should match.

Even though i m matching the acccess-list and transform set the tunnel is coming UP from one end only i.e  from the other vendor firewall he is able to ping the internal network behind ASA but internal network  when they initiate a conection to other vendor firewall success rate is zero.

How it is possible that the other vendor is able to ping when tunnel is not established from ASA end.???? according to the logs ASA is stuck in phase 2.

Thanks

6 REPLIES
New Member

Site-2-Site Vpn

Hello,

Any hints please

Thanks

Site-2-Site Vpn

config??

Diego Cambronero

CCIE 34000

Site-2-Site Vpn

If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.

IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

New Member

Re: Site-2-Site Vpn

Hello rizwan,

Here are the configs for dynamic and static crypto map, According to below i hope the configs are correct.

crypto ipsec ikev1 transform-set asa esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set asa1 esp-aes esp-sha-hmac

crypto dynamic-map cisco 1 match address vpn

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto dynamic-map remote 8 set ikev1 transform-set asa

crypto map crypto 6 match address faq

crypto map crypto 6 set peer X.X.X.X

crypto map crypto 6 set ikev1 transform-set asa asa1

crypto map crypto 10 ipsec-isakmp dynamic cisco

crypto map crypto 20 ipsec-isakmp dynamic remote

crypto map crypto interface outside

Site-2-Site Vpn

remove these all.

crypto dynamic-map cisco 1 match address vpn

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto dynamic-map remote 8 set ikev1 transform-set asa

----------------

copy these lines.

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route

crypto map cisco 65535 ipsec-isakmp dynamic cisco

New Member

Re: Site-2-Site Vpn

Dear Rizwan,

i have dynamic map Cisco which is my branch on ADSL router which initiates a connection to HO that  is higher than static either you put number 10 or 65535 they both are higher than static , Just have a look on the matching colours, and my static crypto map are  prefered than the dynamic.

crypto ipsec ikev1 transform-set asa esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set asa1 esp-aes esp-sha-hmac

crypto dynamic-map cisco 1 match address vpn

crypto dynamic-map cisco 1 set ikev1 transform-set asa

crypto dynamic-map cisco 1 set reverse-route


crypto dynamic-map remote 8 set ikev1 transform-set asa

crypto map crypto 6 match address faq

crypto map crypto 6 set peer X.X.X.X

crypto map crypto 6 set ikev1 transform-set asa asa1

crypto map crypto 10 ipsec-isakmp dynamic cisco

crypto map crypto 20 ipsec-isakmp dynamic remote

crypto map crypto interface outside

I have 1 more question for you:

the transform set should be same on both the end of the vpn peers ??? if they are different for example esp-3des esp-md5-hmac & esp-aes esp-sha-hmac on one end and esp-3des esp-md5-hmac  only on the other end will the phase II will come up.????

Thanks

701
Views
0
Helpful
6
Replies