Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

ASA to Astaro Security gateway

Guys,

Hope you can help. I am getting this error

Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xc9d79d4e)!

Jan 10 17:45:33 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!

Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, QM FSM error (P2 struct &0xd5c50928, mess id 0xb8b49538)!

Jan 10 17:45:45 [IKEv1]: Group = 213.XXX.XXX.XXX, IP = 213.XXX.XXX.XXX, Removing peer from correlator table failed, no match!

thats all it does no phase one negotaition or anything. Have checked the config with the other party over and over again but they just wont talk.

Any ideas what the error means

config

we have matching access lists at each end

crypto ipsec transform-set optaes esp-aes-256 esp-md5-hmac

crypto dynamic-map rtpdynmap 20 set transform-set optset

crypto map optmap 10 match address VPNGermany_Access

crypto map optmap 10 set peer 213.XXX.XXX.XXX

crypto map optmap 10 set transform-set optaes

crypto map optmap 10 set security-association lifetime seconds 86400

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

tunnel-group 213.XXX.XXX.XXX type ipsec-l2l

tunnel-group 213.XXX.XXX.XXX ipsec-attributes

cheers

Paul

pre-shared-key *

3 REPLIES
Hall of Fame Super Blue

Re: ASA to Astaro Security gateway

Hi

QM = Quick Mode = Phase 2.

Phase 1 is either Main Mode or aggresive mode.

So by the fact it is getting to QM that suggests phase 1 is working. What you do see if you do a "sh crypto isa sa" on the ASA ?

Can you check the phase 2 settings to ensure they match ie.

1) check your crypto map access-list and make sure that the local and remote subnet you have on your ASA matches the Astaro local and remote subnets

2) Explicitly set PFS in phase 2 and get them to do the same on the Astaro firewall.

HTH

Jon

Bronze

Re: ASA to Astaro Security gateway

Jon,

I get nothing at all when I do a sho crypto isakmp sa. hence the reason i though not even phase 1 was working.

The vendor at the other end of the tunnel has changed his SA lifetime and the tunnel has come up. Bit strange as both SA are now different. I will check this out and update the formum.

We had PFS off by the way we both confirmed that and had already double checked ACLS. So this will be interesting when i get back on site next week

Regards

Paul

New Member

Re: ASA to Astaro Security gateway

change the group to 5 for aes-256.

-Rajesh P

518
Views
0
Helpful
3
Replies