Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

QM FSM error - VPN Cisco 1800 and asa5510

I was traying to make a site to site VPN between a cisco 1800 router and cisco asa 5510. But it was impossible to get it.

I get:

asa# Nov 30 08:07:00 [IKEv1]: Group = 187.xxx.xxx.xxx, IP = 187.xxx.xxx.xxx, QM FSM error (P2 struct &0xd6bf7d10, mess id 0x39286aa1)!

Nov 30 08:07:00 [IKEv1]: Group = 187.xxx.xxx.xxx, IP = 187.xxx.xxx.xxx, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Nov 30 08:07:00 [IKEv1]: Group = 187.xxx.xxx.xxx, IP = 187.xxx.xxx.xxx, Removing peer from correlator table failed, no match!

And i can´t find out where is the problem. Here is my config

Cisco 1800

crypto isakmp policy 2

authentication pre-share

crypto isakmp key ABCDE address 200.xxx.xxx.xxx

crypto ipsec security-association lifetime seconds 28800

crypto ipsec transform-set IOS-IPSEC esp-3des esp-sha-hmac

crypto map CMAP_1 1 ipsec-isakmp

description Tunnel to 200.xxx.xxx.xxx

set peer 200.xxx.xxx.xxx

match address VPN_SANTANA

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 187.xxx.xxx.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map CMAP_1

ip access-list extended VPN_SANTANA

permit ip 172.18.1.0 0.0.0.255 172.17.0.0 0.0.255.255

route-map nonat permit 10

match ip address VPN_SANTANA

Cisco ASA

access-list ACL-VPN-SANTANA extended permit ip 172.17.0.0 255.255.0.0 172.18.1.0 255.255.255.0

crypto ipsec transform-set 3ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 120 match address ACL-VPN-SANTANA

crypto map outside_map 120 set peer 187.9.57.10

crypto map outside_map 120 set transform-set 3ESP-DES-SHA

crypto map outside_map 120 set security-association lifetime seconds 28800

crypto map outside_map 120 set security-association lifetime kilobytes 4608000

crypto isakmp policy 120

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

tunnel-group 187.9.57.10 type ipsec-l2l

tunnel-group 187.9.57.10 ipsec-attributes

pre-shared-key *

Any idea why this error ?

1 REPLY

QM FSM error - VPN Cisco 1800 and asa5510

Hello,

Check on ASA outside interface

1. ISAKMP is enabled

2. Crypto map is applied

3. 172.17.0.0 255.255.0.0 -->172.18.1.0 255.255.255.0 traffic is not Nat'd . (nat0).

Try posting full configs from both devices (excluding username/pass/snmp).

hth

MS

3069
Views
0
Helpful
1
Replies