02-22-2006 02:14 PM - edited 02-21-2020 02:16 PM
I have a site to site VPN between a Cisco Pix Firewall 515 and Chekpoint.
Recently I upgrade the software of the Pix from 6.3 to 7.0 and the VPN is not working now. The following message are display from the pix firewall:
Feb 22 17:24:36 [IKEv1]: Group = 180.1.34.5, IP = 180.1.34.5, QM FSM error (P2 struct &0x1e81270, mess id 0x461e9370)!
Feb 22 17:24:36 [IKEv1]: Group = 180.1.34.5, IP = 180.1.34.5, Removing peer from correlator table failed, no match!
Solved! Go to Solution.
02-23-2006 08:51 AM
Hi Angel,
You may try these on the pix and see what happen's.
clear isakmp sa
clear ipsec sa
Otherwise:
What are the syslogs errors from the pix?
Check if other end supports keep alive (default on ver 7.0 are treshold:10secs and retry:2secs)
Check is isakmp policies match between both ends.
Does the new access-list's match those you had in the previous version?
Is this command also on the config?
isakmp ipsec-over-tcp port 10000
Michel
02-23-2006 06:36 AM
Someone had recently posted the same problem here.
I think the command "isakmp enable outside" was not transfered in the upgrade procedure.
02-23-2006 07:18 AM
Michel,
the command "isakmp enable outside" is in the configuration.
02-23-2006 08:51 AM
Hi Angel,
You may try these on the pix and see what happen's.
clear isakmp sa
clear ipsec sa
Otherwise:
What are the syslogs errors from the pix?
Check if other end supports keep alive (default on ver 7.0 are treshold:10secs and retry:2secs)
Check is isakmp policies match between both ends.
Does the new access-list's match those you had in the previous version?
Is this command also on the config?
isakmp ipsec-over-tcp port 10000
Michel
02-23-2006 01:21 PM
Thank for your help, clear the isakmp sa work.
05-18-2006 10:09 PM
I too had the same problem , but it seems clearing sa's is an temporary solution. I get the VPN connection problems most frequently.
please give me a one time solution for this.
05-29-2006 12:38 AM
Hello,
This usually happens when the peer is a third party device or the devices which have different IPSEC/isakmp lifetime values.
Support device 1 has isa/ipsec lifetime as 1000/1000 seconds and device 2 has 900/900 seconds. Device 2 will expect a tunnel nego packet after 900 seconds which device one will reject because for it the tunnel already exists. Or, if somehow the tunnel got broken and the state of the tunnel is uneven on both side.
Although every vendor say that they follow RFC to the line but it does not happen. RFC clearly indicates that the lesser value of the lifetime should be accepted and lifetime value should be a part of the proposal. But , RFC is nothing but guidelines.
Try configuring the lifetime values manually if creating a tunnel with unlike/different vendor devices.
Vikas
06-09-2006 07:10 AM
I'm getting the same Phase I error:
Jun 09 11:02:00 [IKEv1]: Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!
Doing a 'clear isakmp sa' command isn't doable, since that would break multiple existing tunnels on my production network; any background on the cause for this error?
Isakmp policy and transform sets seem to match fine, but no Phase I.
Marc
06-09-2006 10:17 AM
Hi Marc,
For version 7.x you may collect tunnel info w/
show vpn-sessiondb detail remote
The command to clear one tunnel at a time is:
clear ipsec sa peer
This will not affect or break all other tunnel's running simultaneouly on your pix.
I'm not aware of any command doing this in previous ver. (except clear isakmp sa/clear ipsec sa that you have mentionned earlier).
HTH
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide