I want to establish vpn in between ASA ------- other vendor Firewall
I m facing issues in phase 2 of IPsec vpn connection, Attached are the debug logs from ASA.I found the QM FSM error in the logs, Cisco Docs says the solution for this error: that both side access-list should match and transform-set should match.
Even though i m matching the acccess-list and transform set the tunnel is coming UP from one end only i.e from the other vendor firewall he is able to ping the internal network behind ASA but internal network when they initiate a conection to other vendor firewall success rate is zero.
How it is possible that the other vendor is able to ping when tunnel is not established from ASA end.???? according to the logs ASA is stuck in phase 2.
If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.
IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
i have dynamic map Cisco which is my branch on ADSL router which initiates a connection to HO that is higher than static either you put number 10 or 65535 they both are higher than static , Just have a look on the matching colours, and my static crypto map are prefered than the dynamic.
crypto dynamic-map cisco 1 set ikev1 transform-set asa
crypto dynamic-map cisco 1 set reverse-route
crypto dynamic-map remote 8 set ikev1 transform-set asa
crypto map crypto 6 match address faq
crypto map crypto 6 set peer X.X.X.X
crypto map crypto 6 set ikev1 transform-set asa asa1
crypto map crypto 10 ipsec-isakmp dynamic cisco
crypto map crypto 20 ipsec-isakmp dynamic remote
crypto map crypto interface outside
I have 1 more question for you:
the transform set should be same on both the end of the vpn peers ??? if they are different for example esp-3des esp-md5-hmac & esp-aes esp-sha-hmac on one end and esp-3des esp-md5-hmac only on the other end will the phase II will come up.????
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...