ASA 5510 TO CISCO 3845 IPSEC VPN MM_WAIT_MSG2 / MM_NO_STATE

Unanswered Question
Jun 8th, 2011

Hello,

we are trying to establish IPsec VPN between two locations from ASA 5510 to Cisco 3845 and the setup is as follows:

ASA end:

The ASA receives a PPPoE dynamic public address from the Service provider A through a Cisco 1941 router set up as a bridge. All standard IPsec VPN policies ie interesting traffic, crypto maps etc are implemented on the ASA and the software version is 8.4(1). Existing users on the LAN also access a cloud based service on the Internet by means of dynamic NAT to the cloud service. The IPsec session is set up to peer to the remote site public IP which is provided by Service Provider B

Cisco3845 end:

The Cisco router is connected to the Service Provider B firewall through a local gateway. Service Provider B provides a Static IP address which is used as the peer IP address from the ASA. All IPsec policies are implemented on Cisco 3845 router which is in the private network. The Cisco 3845 is configured with a default route to the provider firewall using Private IP as the next hop. The Service Provider B also implement 1:1 NAT to translate incoming session requests to the public IP and also NAT Traversal.

The scenario is depicted as follows:

Customer LAN/WLAN -> ASA-> Bridge -> PPPoE (SP A) --------------------------(SP B) Firewall -> Default Gateway -> Cisco IOS 3845

                                        Public IP                                                                        Public IP +NAT+NAT-traversal           VPN Policies

                                         VPN Policies

If a VPN tunnel is initiated by a ping from the Cisco 3845 end, the crypto isakmp sa output shows MM_NO_STATE

If a VPN tunnel is initiated by a ping from the ASA end the crypto ikev1 sa output shows MM_WAIT_MSG2.

The state above describes that both the devices have sent their IKE requests and as there is no response from the remote end, the state information is set to either MSG2 at ASA end or NO_STATE on the 3845.

The extract of the log capture on the ASA is as follows:

[IKEv1 DEBUG]IP = 210.50.52.22, IKE MM Initiator FSM error history (struct &0xade91ce0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jun 08 12:01:32 [IKEv1 DEBUG]IP = 210.50.52.22, IKE SA MM:98976544 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

and the IKE fails to establish. Sometimes can see "Duplicate packets" in the log messages.

Suspected problems may be due to

1) Routing related : From the ASA, can ping to the public IP of the SP B, but from Cisco 3845 we cannot ping to the public IP of ASA

2) ASA users are connected to a cloud based service on the Internet and advise needed if some kind of split tunneling is required for IPsec traffic

and any NAT or ACLs required to ensure that IPsec traffic is pushed out through the tunnel.

Currently, interesting traffic is configured to permit IP traffic from  LAN A to LAN B and mirror image  on the other end.

NAT and ACLs allow icmp inbound to the LAN/WLAN devices and management access is allowed in the ASA for this subnet.

3) ASA version is 8.4(1) is implemented with IKEv1 policies.

Let me know if you need detailed configs and i can send this through

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
imatyaso Fri, 06/10/2011 - 05:53

Hi

Please check if the ISPs or firewalls  which you have in between the two peers allow

the following types of traffic for both inbound and  outbound filters with regard to

ASA and c3845.

1). Allow Encapsulating Security Protocol (ESP) traffic to be forwarded, i.e. IP Protocol 50 (ESP) :

2). Allow ISAKMP traffic to be forwarded, i.e. UDP Port 500

3). Allow ISAKMP NAT-T (NAT Transparency), i.e. UDP 4500

4). In cause you will also use Authentication Header (AH), make sure that IP Protocol 51 is allowed forr both inbound

     and outbound filters.

If this is allowed and still not working, please share further debug details.

Best regards

Istvan

mohankumarm Fri, 06/10/2011 - 18:10

Hey Istvan,

Thanks very much for your response and we have confirmed with the remote provider that UDP 500, 4500 and ESP 50 traffic is allowed for inbound as well as outbound on their firewalls and there seems to be no improvement.

We have tried this setup with another provider and we got IPsec tunnel come up without any problems. This time i am not sure if a firewall is located at the remote end, but tunnel comes up and seems to be working fine.

We will revert to the original provider and test again and here is the extract of the logs for the failed tests.

Teardown local-host Outside:10.77.15.250 duration 0:00:00

%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = ABCD.  Map Sequence Number = 10.

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-5-713041: IP = 210.50.52.22, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer X.X.X.X  local Proxy Address X.X.X.X, remote Proxy Address X.X.X.X,  Crypto map (ABCD)

%ASA-7-715046: IP = 210.50.52.22, constructing ISAKMP SA payload

%ASA-7-715046: IP = 210.50.52.22, constructing NAT-Traversal VID ver 02 payload

%ASA-7-715046: IP = 210.50.52.22, constructing NAT-Traversal VID ver 03 payload

%ASA-7-715046: IP = 210.50.52.22, constructing NAT-Traversal VID ver RFC payload

%ASA-7-715046: IP = 210.50.52.22, constructing Fragmentation VID + extended capabilities payload

%ASA-7-713236: IP = 210.50.52.22, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

%ASA-7-609001: Built local-host identity:120.151.192.110

%ASA-7-609001: Built local-host Outside:210.50.52.22

%ASA-7-715065: IP = 210.50.52.22, IKE MM Initiator FSM error history (struct &0xadef3480)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

%ASA-7-713906: IP = 210.50.52.22, IKE SA MM:6c33e07d terminating:  flags 0x01000022, refcnt 0, tuncnt 0

%ASA-7-713906: IP = 210.50.52.22, sending delete/delete with reason message

%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = MELSYD.  Map Sequence Number = 10.

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= MELSYD.  Map Sequence Number = 10.

%ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = ABCD.  Map Sequence Number = 10

120.151.192.110 is the local IP on ASA and 210.50.52.22 is the remote IP on the SP firewall. From the ASA, i can ping to 210.x.x.x, but from the remote VPN router i cannot ping to 120.x.x.x (Firewall does NAT 1:1 translation)

Thanks and Regards,

Mohan

Actions

Login or Register to take actions

This Discussion

Posted June 8, 2011 at 4:59 PM
Stats:
Replies:2 Avg. Rating:
Views:5016 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard