QM FSM Error in Site to Site VPN

[PeterKlee]

Good day -

We have a Cisco PIX 515e running v 6.3(5) which initiates a site to site VPN tunnel to a Cisco Concentrator 3005 running v 4.1.5. The tunnel comes up successfully and stays up until approximately 7 hours and 30 minutes have passed, at which point the tunnel disconnects with a QM FSM error, as shown in the Concentrator's log:

34339 09/14/2007 16:35:40.300 SEV=4 IKE/41 RPT=1887
IKE Initiator: Rekeying Phase 2, Intf 2, IKE Peer xx.xxx.xx.xxx
local Proxy Address yyy.yy.yyy.y, remote Proxy Address yyy.yy.y.y,
SA (L2L: Users)

34342 09/14/2007 16:36:12.310 SEV=4 IKEDBG/97 RPT=126 xx.xxx.xx.xxx
Group [xx.xxx.xx.xxx]
QM FSM error (P2 struct &0x39741a4, mess id 0x875f9b74)!

34343 09/14/2007 16:36:12.320 SEV=4 AUTH/23 RPT=414 xx.xxx.xx.xxx
User [xx.xxx.xx.xxx] Group [xx.xxx.xx.xxx] disconnected: duration: 7:36:32

34344 09/14/2007 16:36:12.320 SEV=4 AUTH/85 RPT=414
LAN-to-LAN tunnel to headend device xx.xxx.xx.xx disconnected: duration: 7:36:3
2

In the above display, the xx.xxx.xx.xxx represents the PIX's peer ip address.

Once the disconnect takes place, the tunnel stays down until we clear the crypto security associations for that tunnel on the PIX.

The ISAKMP lifetime is set to 86400, so I'm not sure why the phase 2 tunnel is being re-keyed at around 7 hours and 30 minutes. Either way, does anyone know the cause of the QM FSM error and a resolution to it?

Any thoughts on this are appreciated.

 

[brianinms]

I assume its doing ezvpn?

 

[PeterKlee]

Hello Brianinms,

No, we are not using ezvpn. Our config does include using esp and 3des with md5 and DH group 2.

 

[brianinms]

On your pix at the end of your isakmp key, do you have no-xauth?

 

[PeterKlee]

Hi Brianinms, we do not have 'no-xauth' at the end of the isakmp key statement.

 

[brianinms]

Try adding it to your config as it appears to try to user authenticate.