Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel mismatch

I have a tunnel between a PIX 515E version 7.2(2)and a Cisco 3800 version 12.3(11r). There is a mismatch somewere in the configs but I cannot find it. Any help would be appreciated. I have included the configs and the syslog errors.

5 REPLIES
Cisco Employee

Re: Tunnel mismatch

Hi Bill,

Please notice the following log message :

Could not delete route for L2L peer that came in on a dynamic map. address: 167.18.19.0, mask: 255.0.0.0

It shows an 8 bit subnet mask. Please check the crypto ACLs on each device. Also the phase 1 lifetime is lower than that of phase 2. This is an incorrect implementation. Please make sure that the either the phase 1 lifetime is hiher than that of phase 2 or atleast equal.

HTH,

Please rate if it helps,

Regards,

Kamal

New Member

Re: Tunnel mismatch

Why is an 8-bit mask an issue?

Cisco Employee

Re: Tunnel mismatch

Hi,

Its not if it the same on both the ends. Just make sure that it is the same on both the ends.

HTH,

Kamal

Cisco Employee

Re: Tunnel mismatch

Hi,

Has your problem been resolved?

Regards,

Kamal

New Member

Re: Tunnel mismatch

I came across the same problem:

QM FSM error (P2 struct ....

IKE QM Responder FSM error history (struct &0x254e780)  , :  QM_DONE,....

sending delete/delete with reason message

Removing peer from correlator table failed, no match!

Could not delete route for L2L peer that came in on a dynamic map.

The problem was that a dynamic crypto map for client VPN connecions was conflicting with a Static crypto map.

because the priority for dynamic map was higher than the L2L map.

if you have something like this:

crypto map mapname 10 ipsec-isakmp dynamic outside_dyn_map

crypto map mapname 11 match address map_ACL

  change it to something like this

crypto map mapname 11 match address map_ACL

crypto map mapname 6000 ipsec-isakmp dynamic outside_dyn_map

making the dynamic map the last on your priority. This fixed my problem although the QM FSM error is quite generic.

1540
Views
0
Helpful
5
Replies
CreatePlease to create content