Re: VPN error message

george.georgiou1 · ‎09-04-2006

Hi,

I've setup a Cisco 837 for VPN access to our main site PIX 515E.

When I do a simple 'ping' to the main site, it just times out.

Now, when I open up the ASDM software and monitor what's going on, I see this message:

3 sep 04 2006 14:31:29 713119 Group= xx.xxx.x.xx, IP = xx.xxx.x.xx, PHASE 1 COMPLETED

But then, I see this message:

3 Sep 04 2006 14:31:29 713902 Group = xx.xxx.x.xx, IP = xx.xxx.x.xx, QM FSM error (P2 struct &0x27f25c0, mess id 0xa809a571)!

But, I really am new to this and I wouldn't have a clue where to start checking. I know I need to look at the CRYPTO map and ISAKMP config, but nothing more!

Please help!

mustafa_nbk · ‎09-05-2006

Hi,

Can you upload the following command outputs from PIX & Router.

Show crypto isakmp policy

Show crypto ipsec transform-set

show crypto map

Thanks,

Mustafa

george.georgiou1 · ‎09-05-2006

Hi Mustafa,

Thanks for getting back to me, I really do appreciate any guidence!

OK, I ran the commands for you. On the 837 router, it was fine, but the PIX didn't recognise any of the last bit of the commands.

Do you want me to enter any other commands on the PIX? The PIX software version is: 7.2(1)

Here's what i've for you so far:

---Cisco 837 router---

Show crypto isakmp policy =

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

*********************************************

Show crypto ipsec transform-set =

Transform set TFS4: { esp-3des esp-sha-hmac }

will negotiate = { Tunnel, },

*********************************************

show crypto map =

Crypto Map "TUNNEL" 10 ipsec-isakmp

Peer = xxx.xxx.xxx.xxx

Extended IP access list 105

access-list 105 permit ip xx.xx.1.0 0.0.0.255 xx.x.0.0 0.0.255.255

access-list 105 permit ip xx.xx.1.0 0.0.0.255 xxx.x.0.0 0.0.255.255

access-list 105 permit ip xx.xx.1.0 0.0.0.255 xxx.xxx.1.0 0.0.0.255

Current peer: 194.154.171.162

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

TFS4,

}

Interfaces using crypto map TUNNEL:

=============================================

---Cisco PIX515E---

Show crypto isakmp policy = PIX doesn't know the 'policy' part of the command:

Gold-FW1# sh crypto isakmp ?

ipsec-over-tcp Show IPSec over TCP data

sa Show ISAKMP sas

stats Show ISAKMP statistics

| Output modifiers

*********************************************

Show crypto ipsec transform-set = PIX doesn't know part of this command:

Show crypto ipsec ?

df-bit Show IPsec DF policy

fragmentation Show IPsec fragmentation policy

sa Show IPsec SAs

stats Show IPsec global statistics

*********************************************

show crypto map = PIX doesn'r know part of this command:

show crypto map ?

accelerator Show accelerator operational data

ca Show certification authority policy

ipsec Show IPsec operational data

isakmp Show ISAKMP operational data

key Show long term public keys

protocol Show protocol statistics

Hope to hear from you soon.

Kind regards,

George

amohabir1 · ‎09-05-2006

I dont think you'll get anywhere with the show commands.

You need to do a debug crypto ipsec and debug crypto isakmp and look at the messages to see where its failing. Apparently its failing at phase two.

You need to check your configs again to make sure they match up on both ends. Transform sets and such.