Ask the Expert

What does a QM FSM error signify on a VPN Concentrator?

I have configured an IPsec LAN-to-LAN VPN on a Cisco Concentrator on my side and the client end has a Cisco PIX firewall.

When I see filter logs in my Concentrator, it's showing that the tunnel is established and it's also showing a QM FSM error.

Sample of log is as below:
12391 02/27/2008 21:26:00.970 SEV=4 IKEDBG/97 RPT=5664 x.x.x.x Group [x.x.x.x] QM FSM error (P2 struct &0xe6cc160, mess id 0x3abad321)!
12381 02/27/2008 21:25:50.960 SEV=4 IKE/41 RPT=50043 x.x.x.x Group [x.x.x.x] IKE Initiator: New Phase 2, Intf 2, IKE Peer x.x.x.x local Proxy Address x.x.x.0, remote Proxy Address x.x.x.0, SA (L2L: Enabil-Tunnel)

What kind of security threat does this pose, and how do I fix it?

    Requires Free Membership to View

The QM FSM error message appears because the IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA properly.

One possible reason is the proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.

This was first published in August 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: