Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Tunnel not comming up

Hi,

My vpn tunnel is not comming up and I am having the following error, which I donot understand.

Aug 03 16:41:41 [IKEv1]: Group = 80.5.93.129, IP = 80.5.93.129, Removing peer from correlator table failed, no match!

Aug 03 16:41:44 [IKEv1]: Group = 80.5.93.129, IP = 80.5.93.129, QM FSM error (P2 struct &0x3baf170, mess id 0xb8cae8a5)!

Aug 03 16:41:44 [IKEv1]: Group = 80.5.93.129, IP = 80.5.93.129, Removing peer from correlator table failed, no match!

Aug 03 16:41:50 [IKEv1]: Group = 80.5.93.129, IP = 80.5.93.129, QM FSM error (P2 struct &0x3baf170, mess id 0x83c03218)!

Aug 03 16:41:50 [IKEv1]: Group = 80.5.93.129, IP = 80.5.93.129, Removing peer from correlator table failed, no match!

this ip is my remote peer.

Regards

3 REPLIES
Gold

Re: Tunnel not comming up

post the configs from both peers.

offhand, sounds like somewhere your peer statements aren't matching.

Community Member

Re: Tunnel not comming up

Here is my config.

access-list inside_nat0_outbound extended permit ip host 192.168.11.1 host PDS

access-list outside_70_cryptomap extended permit ip host 192.168.11.1 host PDS

access-list inside_nat_outbound extended permit ip object-group Listening host PDS

global (outside) 3 192.168.11.1 netmask 255.255.255.0

nat (inside) 3 access-list inside_nat_outbound

crypto map vpn 70 match address outside_70_cryptomap

crypto map vpn 70 set pfs

crypto map vpn 70 set peer 143.252.4.36

crypto map vpn 70 set transform-set ESP-3DES-SHA

crypto map vpn 70 set security-association lifetime seconds 3600

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto map vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

tunnel-group 143.252.4.36 type ipsec-l2l

tunnel-group 143.252.4.36 ipsec-attributes

pre-shared-key *

From: Rafiq, Mohammed [mailto:Mohammed.Rafiq@newsint.co.uk]

Sent: 03 August 2007 17:18

To: Hassan Daher

Subject: RE: change Req 214109 (VPN to TLC)

access-list internet_cryptomap_120 extended permit tcp host 10.10.126.140 host 192.168.11.1 eq www

nat (optfir) 0 access-list optfir_nat0_outbound

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

crypto map Thus_map 120 match address internet_cryptomap_120

crypto map Thus_map 120 set pfs

crypto map Thus_map 120 set peer 80.5.93.129

crypto map Thus_map 120 set transform-set ESP-3DES-SHA

crypto map Thus_map 120 set security-association lifetime seconds 3600

crypto map Thus_map interface internet

isakmp enable internet

isakmp enable webcss

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group 80.5.93.129 type ipsec-l2l

tunnel-group 80.5.93.129 ipsec-attributes

pre-shared-key *

Re: Tunnel not comming up

Your match address statements does not match on both sides. One side is matching on IP and the other on TCP port 80.

175
Views
0
Helpful
3
Replies
CreatePlease to create content