Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Site-to-Site VPN disconnects freqently

Hi Everyone,

We have recently shifted one Site-to-Site VPN from Cisco router to ASA5550 firewall.The tunnel is established successfully and the application works fine. However,  the tunnel disconnects frequently and hence our VDI applications drops. I've enabled "debug crypto isakmp" and "debug crypto ipsec" and below the logs.

 

May 15 15:09:57 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x42481a88, mess id 0x645d1e84)!
May 15 15:09:57 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 15:10:07 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x42466e38, mess id 0x645d1e84)!
May 15 15:10:07 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 15:10:17 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x42481a88, mess id 0x9b18e803)!
May 15 15:10:17 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 15:10:17 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x42466e38, mess id 0x645d1e84)!
May 15 15:10:17 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 15:10:17 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Session is being torn down. Reason: Phase 2 Mismatch
May 15 15:13:45 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Session is being torn down. Reason: Administrator Reset
May 15 15:13:46 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Stale PeerTblEntry found, removing!
May 15 15:13:46 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x4247bff8, mess id 0x7188bd56)!
May 15 15:13:46 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 15:13:46 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Session is being torn down. Reason: Phase 2 Mismatch
May 15 15:13:46 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Session is being torn down. Reason: Unknown
May 15 15:59:41 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x4242d850, mess id 0xe1532d88)!
May 15 15:59:51 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x4242d850, mess id 0xe1532d88)!
May 15 15:59:51 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 16:00:01 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, QM FSM error (P2 struct &0x4242d850, mess id 0xe1532d88)!
May 15 16:00:01 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Removing peer from correlator table failed, no match!
May 15 16:00:11 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Session is being torn down. Reason: Phase 2 Mismatch

 

Attached ASA VPN configuration for reference. 

 

Everyone's tags (1)
3 REPLIES
Cisco Employee

Hi Gilbin,Looking at the logs

Hi Gilbin,

Looking at the logs, it depicts phase 2 parameters are not matching on both the sides.
May 15 16:00:11 [IKEv1]: Group = <Removed IP>, IP = <Removed IP>, Session is being torn down. Reason: Phase 2 Mismatch
What is the device on the remote side?
It would be advised that you double check the configuration on both the sides . If that is good , simultaneous logs from both the sides will help in narrowing down the issue .

Regards,

Dinesh Moudgil

Community Member

Hi.Thanks for your input. I'm

Hi.

Thanks for your input. I'm attaching the debug logs also for reference.

As per logs, "Session is being torn down. Reason: User Requested". Anybody explain whats its meaning. My ASA is in initiator role.

Cisco Employee

In the logs, May 19 10:08:30

In the logs,

 

May 19 10:08:30 [IKEv1]: IP = <IP Removed>, IKE_DECODE SENDING Message (msgid=c3cc48c5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 304
May 19 10:08:30 [IKEv1]: IP = <IP Removed>, IKE_DECODE RECEIVED Message (msgid=36ee7960) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
May 19 10:08:30 [IKEv1 DEBUG]: Group = <IP Removed>, IP = <IP Removed>, processing hash payload
May 19 10:08:30 [IKEv1 DEBUG]: Group = <IP Removed>, IP = <IP Removed>, processing delete
May 19 10:08:30 [IKEv1]: Group = <IP Removed>, IP = <IP Removed>, Connection terminated for peer <IP Removed>.  Reason: Peer Terminate

Remote side is sending delete message when the phase 2 rekey is occuring.
Configuring vpn idle timeout to none might help.
Simultaneous logs from both sides will probably show us why delete event was sent to ASA.

Regards,

Dinesh Moudgil

1200
Views
0
Helpful
3
Replies
CreatePlease to create content