Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Urgent!!L2L vpn ASA 5005 & 1841, issue QM FSM error

Hello to all,

We are facing an issue on a new l2l vpn connection between Asa 5005 & 1841 router.

crypto isakmp policy 100

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key * address aaa.aaa.aaa.aaa

crypto ipsec transform-set $$$_$$$$$ esp-3des esp-md5-hmac

crypto map BG 100 ipsec-isakmp

set peer aaa.aaa.aaa.aaa

set security-association lifetime seconds 28800

set transform-set $$$_$$$$$

set pfs group 2

match address 111

interface FastEthernet0/0.2

encapsulation dot1Q 3338

ip address aaa.aaa.aaa.aaa 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map BG 100

ip nat pool nat_pool xx.xx.xx.xx xx.xx.xx.xx prefix-length 29

# NOTE: 10.70.200.0/24 is correctly exempted from the above NAT translation

access-list 101 deny   ip 10.70.200.0 0.0.0.255 any

access-list 101 permit ip 10.70.0.0 0.0.255.255 any

# NOTE: crypto ACL is correct

access-list 111 permit ip 10.70.200.0 0.0.0.255 host 172.40.10.100

I will

appreciate any urgent help.

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Urgent!!L2L vpn ASA 5005 & 1841, issue QM FSM error

Your crypto acl's should be exact mirrors of each other.

If your router acl is

access-list 111 permit ip 10.70.200.0 0.0.0.255 host 172.40.10.100

then your ASA acl should be

access-list outside_cryptomap_320 extended permit ip host 172.40.10.100 10.70.200.0 255.255.255.0

Give that a shot and see if it helps.

2 REPLIES
Green

Urgent!!L2L vpn ASA 5005 & 1841, issue QM FSM error

Your crypto acl's should be exact mirrors of each other.

If your router acl is

access-list 111 permit ip 10.70.200.0 0.0.0.255 host 172.40.10.100

then your ASA acl should be

access-list outside_cryptomap_320 extended permit ip host 172.40.10.100 10.70.200.0 255.255.255.0

Give that a shot and see if it helps.

New Member

Re: Urgent!!L2L vpn ASA 5005 & 1841, issue QM FSM error

Hi acomiskey,

Thanks for this valuable information

2085
Views
0
Helpful
2
Replies