Q: I have configured an IPsec LAN-to-LAN VPN on a Cisco concentrator on my side and the client end has a Cisco PIX firewall.
When I see filter logs in my concentrator, it's showing that the tunnel is established and it's also showing a QM FSM error.
Sample of log is as below:
12391 02/27/2008 21:26:00.970 SEV=4 IKEDBG/97 RPT=5664 x.x.x.x Group [x.x.x.x] QM FSM error (P2 struct &0xe6cc160, mess id 0x3abad321)!
12381 02/27/2008 21:25:50.960 SEV=4 IKE/41 RPT=50043 x.x.x.x Group [x.x.x.x] IKE Initiator: New Phase 2, Intf 2, IKE Peer x.x.x.x local Proxy Address x.x.x.0, remote Proxy Address x.x.x.0, SA (L2L: Enabil-Tunnel)
What kind of security threat does this pose, and how do I fix it? The QM FSM error message appears because the IPsec L2L VPN tunnel does not come up on the PIX firewall or ASA properly.
A: One possible reason is the proxy identities, such as interesting traffic, Access Control List (ACL) or crypto ACL, do not match on both the ends. Check the configuration on both the devices, and make sure that the crypto ACLs match.