ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
Dele Z
New Member
Posts:
37
Joined:
Fri Jun 24, 2011 7:22 am
Certs:
CCNA, CCVA

ASA5505 VPN - QM FSM Error (P2 Struct)

Wed Aug 31, 2011 4:45 am

Hi all

We have a site to site VPN that appears to be working all fine and dandy but our ASA is sending several of these messages over a minute to our Syslog server

Aug 31 2011 10:38:09: %ASA-3-713902: Group = 80.*.*.242, IP = 80.*.*.242, Removing peer from correlator table failed, no match!
Aug 31 2011 10:38:09: %ASA-3-713902: Group = 80.*.*.242, IP = 80.*.*.242, QM FSM error (P2 struct &0x28cf6710, mess id 0x3947b467)!
Aug 31 2011 10:38:09: %ASA-3-713902: Group = 80.*.*.242, IP = 80.*.*.242, Removing peer from correlator table failed, no match!
Aug 31 2011 10:38:09: %ASA-3-713902: Group = 80.*.*.242, IP = 80.*.*.242, QM FSM error (P2 struct &0x28b7aa70, mess id 0xfb127f3c)!


A quick trusty google search brings up a Cisco page telling me:

If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries. If the static entries are numbered higher than the dynamic entry, connections with those peers fail and the debugs as shown appears.
IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!


Which doesnt make a huge amount of sense to me because we only have one Crypto map for this VPN and its numbered lower than the defauly dymanic entry on the ASA?

User avatar
Dinger
Post Whore
Posts:
1397
Joined:
Fri Apr 25, 2008 2:16 pm
Certs:
CCNP, CCNA:Sec, MCSE

Re: ASA5505 VPN - QM FSM Error (P2 Struct)

Wed Aug 31, 2011 7:43 am

you'll get that message if the cryptomap on both ends of the VPN tunnel aren't the same.
"A problem well stated is a problem half solved". (Charles Kettering)

User avatar
Dele Z
New Member
Posts:
37
Joined:
Fri Jun 24, 2011 7:22 am
Certs:
CCNA, CCVA

Re: ASA5505 VPN - QM FSM Error (P2 Struct)

Wed Aug 31, 2011 10:04 am

Thank you

Our 3rd party vendor forgot to mention a subnet that was on his end of the Crypto Map, once added all our errors stopped :)

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 23 guests