Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site2Site between ASA & Linux Racoon

Hi All,

I need help in troubbleshooting this issue: Site2Site vpn between an Asa 5520 and a Linux Box is up as shown

ciscoasa# sh crypto isa sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 82.112.199.148

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 82.88.171.211

      access-list outside_1_cryptomap permit ip 10.15.0.0 255.255.0.0 10.57.6.0 255.255.254.0

      local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.57.6.0/255.255.254.0/0/0)

      current_peer: 82.112.199.148

      #pkts encaps: 1181, #pkts encrypt: 1181, #pkts digest: 1181

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1181, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 82.88.171.211, remote crypto endpt.: 82.112.199.148

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 08F0DA33

    inbound esp sas:

      spi: 0x775D8D2C (2002619692)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 12288, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/746)

         IV size: 8 bytes

         replay detection support: Y

Anti replay bitmap:

        0x00000000 0x00000001

    outbound esp sas:

      spi: 0x08F0DA33 (150002227)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 12288, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914966/746)

         IV size: 8 bytes

         replay detection support: Y

Anti replay bitmap:

        0x00000000 0x00000001

but i get the following error:

ciscoasa# debug crypto isakmp

ciscoasa# Dec 29 22:10:11 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148,                                               QM FSM error (P2 struct &0xc86c5b30, mess id 0xdec7ea9b)!

Dec 29 22:10:11 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing p                                              eer from correlator table failed, no match!

Dec 29 22:10:21 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0xdec7ea9b)!

Dec 29 22:10:21 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!

Dec 29 22:10:33 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0x86e6402c)!

Dec 29 22:10:33 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!

Dec 29 22:10:43 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, QM FSM error (P2 struct &0xc8def038, mess id 0x86e6402c)!

Dec 29 22:10:43 [IKEv1]: Group = 82.112.199.148, IP = 82.112.199.148, Removing peer from correlator table failed, no match!

Any help would be appreciated.

1 REPLY
New Member

Re: Site2Site between ASA & Linux Racoon

Hi,

The problem was regarding the policy applied by the linux Kernel.

Riccardo

1936
Views
0
Helpful
1
Replies