09-04-2006 07:49 AM - edited 02-21-2020 02:36 PM
Hi,
I've setup a Cisco 837 for VPN access to our main site PIX 515E.
When I do a simple 'ping' to the main site, it just times out.
Now, when I open up the ASDM software and monitor what's going on, I see this message:
3 sep 04 2006 14:31:29 713119 Group= xx.xxx.x.xx, IP = xx.xxx.x.xx, PHASE 1 COMPLETED
But then, I see this message:
3 Sep 04 2006 14:31:29 713902 Group = xx.xxx.x.xx, IP = xx.xxx.x.xx, QM FSM error (P2 struct &0x27f25c0, mess id 0xa809a571)!
But, I really am new to this and I wouldn't have a clue where to start checking. I know I need to look at the CRYPTO map and ISAKMP config, but nothing more!
Please help!
09-05-2006 02:43 AM
Hi,
Can you upload the following command outputs from PIX & Router.
Show crypto isakmp policy
Show crypto ipsec transform-set
show crypto map
Thanks,
Mustafa
09-05-2006 05:13 AM
Hi Mustafa,
Thanks for getting back to me, I really do appreciate any guidence!
OK, I ran the commands for you. On the 837 router, it was fine, but the PIX didn't recognise any of the last bit of the commands.
Do you want me to enter any other commands on the PIX? The PIX software version is: 7.2(1)
Here's what i've for you so far:
---Cisco 837 router---
Show crypto isakmp policy =
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
*********************************************
Show crypto ipsec transform-set =
Transform set TFS4: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
*********************************************
show crypto map =
Crypto Map "TUNNEL" 10 ipsec-isakmp
Peer = xxx.xxx.xxx.xxx
Extended IP access list 105
access-list 105 permit ip xx.xx.1.0 0.0.0.255 xx.x.0.0 0.0.255.255
access-list 105 permit ip xx.xx.1.0 0.0.0.255 xxx.x.0.0 0.0.255.255
access-list 105 permit ip xx.xx.1.0 0.0.0.255 xxx.xxx.1.0 0.0.0.255
Current peer: 194.154.171.162
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
TFS4,
}
Interfaces using crypto map TUNNEL:
=============================================
---Cisco PIX515E---
Show crypto isakmp policy = PIX doesn't know the 'policy' part of the command:
Gold-FW1# sh crypto isakmp ?
ipsec-over-tcp Show IPSec over TCP data
sa Show ISAKMP sas
stats Show ISAKMP statistics
| Output modifiers
*********************************************
Show crypto ipsec transform-set = PIX doesn't know part of this command:
Show crypto ipsec ?
df-bit Show IPsec DF policy
fragmentation Show IPsec fragmentation policy
sa Show IPsec SAs
stats Show IPsec global statistics
*********************************************
show crypto map = PIX doesn'r know part of this command:
show crypto map ?
accelerator Show accelerator operational data
ca Show certification authority policy
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
Hope to hear from you soon.
Kind regards,
George
09-05-2006 12:57 PM
I dont think you'll get anywhere with the show commands.
You need to do a debug crypto ipsec and debug crypto isakmp and look at the messages to see where its failing. Apparently its failing at phase two.
You need to check your configs again to make sure they match up on both ends. Transform sets and such.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide