L2L appears as type: user (with MM_WAIT_MSG2)

Unanswered Question
Oct 8th, 2008

Hi all,

I've checked and double-checked everything. This is a duplicate (ip and ACLs changed to protect the innocent) of another situation which works fine. But this one does not.

I can't get any debug info on the 2821 side (?) but right-now I'm concerned that when I do try and bring it up from the ASA it appears in "sh cryp isa sa" as type: user (with State: MM_WAIT_MSG2) in stead of type: L2L

The packet-tracer on the ASA falls down at:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x4a38e38, priority=70, domain=encrypt, deny=false

hits=2, user_data=0x0, cs_id=0x4bbabd0, reverse, flags=0x0, protocol=0

src ip=10.180.0.0, mask=255.255.192.0, port=0

dst ip=10.180.67.0, mask=255.255.255.0, port=0

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Here is some config - I can definitely send through more if it helps to help me. Below is a bit.

crypto map VPN 40 match address CRYPTO-LONDON

crypto map VPN 40 set peer ip.ip.ip.ip

crypto map VPN 40 set transform-set ESP-AES-256-SHA

tunnel-group ip.ip.ip.ip type ipsec-l2l

tunnel-group ip.ip.ip.ip ipsec-attributes

pre-shared-key *

Really, really appreciate any help.

Regards,

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m.surtees Wed, 10/08/2008 - 18:39

Don't worry ... I'm just over tired and even though I checked and double-checked everything, after a night's sleep ... Yes I DID make a stupid config error on the 2821 IOS

I'll close this.

Actions

This Discussion