Q: I have configured an IPsec LAN-to-LAN VPN on a Cisco concentrator on my side and the client end has a Cisco PIX firewall.
When I see filter logs in my concentrator, it's showing that the tunnel is established and it's also showing a QM FSM error.
Sample of log is as below:
12391 02/27/2008 21:26:00.970 SEV=4 IKEDBG/97 RPT=5664 x.x.x.x Group [x.x.x.x] QM FSM error
(P2 struct &0xe6cc160, mess id 0x3abad321)!
12381 02/27/2008 21:25:50.960 SEV=4 IKE/41 RPT=50043 x.x.x.x Group [x.x.x.x] IKE Initiator: New Phase 2, Intf 2, IKE Peer x.x.x.x local Proxy Address x.x.x.0, remote Proxy Address x.x.x.0, SA (L2L: Enabil-Tunnel)
What kind of security threat does this pose, and how do I fix it? The QM FSM error message appears because the IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA properly.
A: One possible reason is the proxy identities, such as interesting traffic,