Tuesday, September 3, 2013

VPN - QM FSM error and PFS

We're busy attempting to bring up a site to site IPSec tunnel to Cisco router from our ASA.

Phase1 is completing but Phase2 fails with a 'QM FSM Error'.

This very unhelpful error message results from PFS not matching at either end. Either set it or don't set but if you have one end configured and the other not then you'll get an error like the one above.

Check the config on both ends of your VPN and either add PFS or remove by entering the following:
[no] crypto map VPNCONNECTION set pfs [group1 | group2 | group 5 ]

  • PFS must match at either end
  • The default action on an ASA is to be off
  • If you just enter 'set pfs' and don't define a group then group1 is offered by default and group1/group2 is accepted
  • If you set the group then the same group must be returned by the remote peer.

No comments:

Post a Comment