I have a L2L VPN setup between a PIX 515E and a 3020 concentrator. On the PIX side, I have a single subnet; behind the 3020 I have 4 subnets.
The tunnel will work initially but will then drop one of the IPSEC SA for one of the subnets, at least according to a sh crpyto ipsec sa on the PIX, at random durations. The only way to get it working again is to re-establish the tunnel.
I did a debug on the PIX side and looked at the logs on the 3020 and I do see QM FSM errors but I double checked the crypto map and network lists on both sides and they match up in order.
I also tried playing with IKE keepalives per an older thread with no luck either. Any idea what else should I be checking? There's also occasionally a phase 2 authentication duplicate error that I'm looking into now as well.
It's weird because it does work and sometimes for days on end but recently it's been dropping subnets more frequently.
One other item: 1 of the 4 subnets behind the 3020 is actually hairpinning since it is a remote access VPN network. Not sure if it makes a difference.
I think that the QM FSM syslog, in and of itself, does not tell a very complete story and the syslogs preceding and following this syslog are needed to properly diagnose any potential problems. The phase 2 authentication duplicate error usually occurs when there is some problem in configuration usually on 3k concentrator. I think you should check the configuration on VPN concentrator.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...