L2L IPSec VPN between SRX and ASA, only establish this tunnel from ASA-side.

swanduronswanduron Registered Users Posts: 4 ■□□□□□□□□□
My topology as following:

R1
SRX
ASA
R3

SRX has been configured route-based IPSec L2L tunnel with st0.0 unnumbered and ASA has been configured the standard L2L IPSec. By my configuration, the tunnel will established when R1 and R3 send ICMP traffic each other.
In this, everythine is fine, i configure all device successfully and never received any error messages. But then, the situation is not so lucky. I only trigger this tunnel established from R3 to R1, if clear all IKE sa in SRX and ASA and send ICMP traffic from R1 to R3, will receive the error message as following:

Nov 30 01:55:26 [IKEv1]: Group = 192.168.57.5, IP = 192.168.57.5, Removing peer from correlator table failed, no match!
Nov 30 01:55:40 [IKEv1]: Group = 192.168.57.5, IP = 192.168.57.5, QM FSM error (P2 struct &0xd07ee310, mess id 0x4b8036f3)!
Nov 30 01:55:40 [IKEv1]: Group = 192.168.57.5, IP = 192.168.57.5, Removing peer from correlator table failed, no match!
Nov 30 01:55:41 [IKEv1]: Group = 192.168.57.5, IP = 192.168.57.5, QM FSM error (P2 struct &0xd07ee310, mess id 0xf7f03d93)!
Nov 30 01:55:41 [IKEv1]: Group = 192.168.57.5, IP = 192.168.57.5, Removing peer from correlator table failed, no match!

I am sure all configurations are correctly. Anyone can help me ? Eee..... Can i upload my configuration file to the forum?
Thx a lot!!!!! The problem I have a whole night of torture!!!

Comments

  • unclericounclerico Member Posts: 237
    I'm not an SRX guru, but can you change it to use a policy-based VPN?
    Preparing for CCIE Written
  • hasan1507hasan1507 Member Posts: 52 ■■□□□□□□□□
    Thanks & Regards,

    Hasan Rauf
  • swanduronswanduron Registered Users Posts: 4 ■□□□□□□□□□
    ----> unclerico
    In this topology, policy-based L2L VPN is work fine. This issue occurs when i modify the configuration to route-based L2L VPN.

    ----> hasan1507
    Thank you for your help, this web page is very helpful to me. i will try this night.
    But i have a question, if the IPSec L2L peers has the different interesting traffic list, may be cause some sub-network unreachable, is it right ?
    icon_cheers.gif
  • hasan1507hasan1507 Member Posts: 52 ■■□□□□□□□□
    Sorry, I could not get what you are saying?
    Thanks & Regards,

    Hasan Rauf
  • swanduronswanduron Registered Users Posts: 4 ■□□□□□□□□□
    Ee.....
    I think I understand what you mean, I think you mentioned on the website to the method only to modify the side of the proxy-identity.
  • hasan1507hasan1507 Member Posts: 52 ■■□□□□□□□□
    yes exactly I have seen issues if proxy-id is not right.
    Thanks & Regards,

    Hasan Rauf
Sign In or Register to comment.