Q

What does a QM FSM error signify on a VPN Concentrator?

Learn how to solve a QM FSM error when working on a LAN-to-LAN VPN from a network security expert.

I have configured an IPsec LAN-to-LAN VPN on a Cisco Concentrator on my side and the client end has a Cisco PIX

firewall.

When I see filter logs in my Concentrator, it's showing that the tunnel is established and it's also showing a QM FSM error.

Sample of log is as below:
12391 02/27/2008 21:26:00.970 SEV=4 IKEDBG/97 RPT=5664 x.x.x.x Group [x.x.x.x] QM FSM error (P2 struct &0xe6cc160, mess id 0x3abad321)!
12381 02/27/2008 21:25:50.960 SEV=4 IKE/41 RPT=50043 x.x.x.x Group [x.x.x.x] IKE Initiator: New Phase 2, Intf 2, IKE Peer x.x.x.x local Proxy Address x.x.x.0, remote Proxy Address x.x.x.0, SA (L2L: Enabil-Tunnel) 

What kind of security threat does this pose, and how do I fix it?

The QM FSM error message appears because the IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA properly.

One possible reason is the proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.

This was first published in August 2008

Dig deeper on Network Monitoring

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close