Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
3
Replies

ASA to Astaro Security gateway

bigcappa1
Level 4
Level 4

‎01-10-2008 10:02 AM - edited ‎02-21-2020 01:51 AM

Guys,

Hope you can help. I am getting this error

Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xc9d79d4e)!

Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!

Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xb8b49538)!

Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!

thats all it does no phase one negotaition or anything. Have checked the config with the other party over and over again but they just wont talk.

Any ideas what the error means

config

we have matching access lists at each end

crypto ipsec transform-set optaes esp-aes-256 esp-md5-hmac

crypto dynamic-map rtpdynmap 20 set transform-set optset

crypto map optmap 10 match address VPNGermany_Access

crypto map optmap 10 set peer 213.XXX.XXX.XXX

crypto map optmap 10 set transform-set optaes

crypto map optmap 10 set security-association lifetime seconds 86400

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

tunnel-group 213.XXX.XXX.XXX type ipsec-l2l

tunnel-group 213.XXX.XXX.XXX ipsec-attributes

cheers

Paul

pre-shared-key *

0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎01-10-2008 01:27 PM

Hi

QM = Quick Mode = Phase 2.

Phase 1 is either Main Mode or aggresive mode.

So by the fact it is getting to QM that suggests phase 1 is working. What you do see if you do a "sh crypto isa sa" on the ASA ?

Can you check the phase 2 settings to ensure they match ie.

1) check your crypto map access-list and make sure that the local and remote subnet you have on your ASA matches the Astaro local and remote subnets

2) Explicitly set PFS in phase 2 and get them to do the same on the Astaro firewall.

HTH

Jon

0 Helpful

bigcappa1
Level 4
Level 4
In response to Jon Marshall

‎01-11-2008 01:06 AM

Jon,

I get nothing at all when I do a sho crypto isakmp sa. hence the reason i though not even phase 1 was working.

The vendor at the other end of the tunnel has changed his SA lifetime and the tunnel has come up. Bit strange as both SA are now different. I will check this out and update the formum.

We had PFS off by the way we both confirmed that and had already double checked ACLS. So this will be interesting when i get back on site next week

Regards

Paul

0 Helpful

secureIT
Level 4
Level 4

‎01-11-2008 01:54 AM

change the group to 5 for aes-256.

-Rajesh P

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card