What does a QM FSM error signify on a VPN Concentrator?

What does a QM FSM error signify on a VPN Concentrator?

I have configured an IPsec LAN-to-LAN VPN on a Cisco Concentrator on my side and the client end has a Cisco PIX firewall.

When I see filter logs in my Concentrator, it's showing that the tunnel is established and it's also showing a QM FSM error.

Sample of log is as below:
12391 02/27/2008 21:26:00.970 SEV=4 IKEDBG/97 RPT=5664 x.x.x.x Group [x.x.x.x] QM FSM error (P2 struct &0xe6cc160, mess id 0x3abad321)!
12381 02/27/2008 21:25:50.960 SEV=4 IKE/41 RPT=50043 x.x.x.x Group [x.x.x.x] IKE Initiator: New Phase 2, Intf 2, IKE Peer x.x.x.x local Proxy Address x.x.x.0, remote Proxy Address x.x.x.0, SA (L2L: Enabil-Tunnel)

What kind of security threat does this pose, and how do I fix it?

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchNetworking.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchNetworking.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The QM FSM error message appears because the IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA properly.

One possible reason is the proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.

This was first published in August 2008