Cisco Support Community
Community Member

L2L VPN Config Help - ASA5510 to 1720

I am having a problem getting a site-to-site VPN config working. When I generate traffic from the subnet to the subnet I get the following error on the ASA:

ASA5510# Oct 13 18:25:23 [IKEv1]: Group =, IP =, QM FSM error (P2 struct &0x447ae48, mess id 0x1893f491)!

Oct 13 18:25:23 [IKEv1]: Group =, IP =, Removing peer from correlator table failed, no match!

The ISAKMP SAs attempt to be built on both the ASA and the 1720 but then error out and get deleted.

Configs and network diagram attached.

Cisco Employee

Re: L2L VPN Config Help - ASA5510 to 1720

On the ASA, you want the dynamic map to be last in the sequence of crypto map entries:

no crypto map vpnremote 10 ipsec-isakmp dynamic dynmap

crypto map vpnremote 65000 ipsec-isakmp dynamic dynmap

On the 1720, you need to apply the crypto map to the interface:

interface Ethernet0

crypto map VPNmap

And make sure that the ipsec parameters match, for now you have PFS configured on ASA but not on the 1720.

So e.g.

crypto map VPNmap 10 ipsec-isakmp

set pfs group2

If you still have a problem after that, please get "debug cry isa" and "debug cry ips" on IOS and "debug cry isa 10" and "debug cry ips 10" on ASA, at the same time.



Community Member

Re: L2L VPN Config Help - ASA5510 to 1720


The crypto map to the ethernet 0 interface did the trick. Thanks.

I'll check the pfs params and dynamic map as well.

CreatePlease to create content