08-16-2017 06:22 AM - edited 02-21-2020 09:24 PM
Hi, we have problem between Cisco ASA and Cisco router: tunnel status
<status on asa>
IKE Peer: xx.xx.xx.78
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
<status on router>
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xx.xx.xx.166 xx.xx.xx..78 MM_NO_STATE 0 0 ACTIVE
<debug on asa>
IKEv1 DEBUG]IP = xx.xx.xx.78, IKE MM Initiator FSM error history (struct &0x00007fff9e406480) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
<debug on router>
000561: Aug 16 14:56:15: ISAKMP:(0): SA request profile is (NULL)
000562: Aug 16 14:56:15: ISAKMP: Created a peer struct for xx.xx.xx.166, peer port 500
000563: Aug 16 14:56:15: ISAKMP: New peer created peer = 0x840073D4 peer_handle = 0x80000011
000564: Aug 16 14:56:15: ISAKMP: Locking peer struct 0x840073D4, refcount 1 for isakmp_initiator
000565: Aug 16 14:56:15: ISAKMP: local port 500, remote port 500
000566: Aug 16 14:56:15: ISAKMP: set new node 0 to QM_IDLE
000567: Aug 16 14:56:15: insert sa successfully sa = 83E90D44
000568: Aug 16 14:56:15: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000569: Aug 16 14:56:15: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000570: Aug 16 14:56:15: ISAKMP:(0):found peer pre-shared key matching xx.xx.xx.166
000571: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000572: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-07 ID
000573: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-03 ID
000574: Aug 16 14:56:15: ISAKMP:(0): constructed NAT-T vendor-02 ID
000575: Aug 16 14:56:15: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000576: Aug 16 14:56:15: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
000577: Aug 16 14:56:15: ISAKMP:(0): beginning Main Mode exchange
000578: Aug 16 14:56:15: ISAKMP:(0): sending packet to xx.xx.xx.166 my_port 500 peer_port 500 (I) MM_NO_STATE
00579: Aug 16 14:56:15: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
000580: Aug 16 14:56:25: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000581: Aug 16 14:56:25: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000582: Aug 16 14:56:25: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000583: Aug 16 14:56:25: ISAKMP:(0): sending packet to xx.xx.xx.166 my_port 500 peer_port 500 (I) MM_NO_STATE
000584: Aug 16 14:56:25: ISAKMP:(0):Sending an IKE IPv4 Packet.
<config on ASA>
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set SecondSet esp-3des esp-sha-hmac
crypto map VPNPEER 5 match address l2l
crypto map VPNPEER 5 set peer xx.xx.xx.78
crypto map VPNPEER 5 set ikev1 transform-set SecondSet
crypto map VPNPEER interface outside
tunnel-group xx.xx.xx.78 type ipsec-l2l
tunnel-group xx.xx.xx.78 ipsec-attributes
ikev1 pre-shared-key *****
access-list l2l line 1 extended permit ip 10.115.152.0 255.255.255.0 192.168.175.0 255.255.255.0
<config on router>
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key ****** address xx.xx.xx.166 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp aggressive-mode disable
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto map vpn local-address FastEthernet4.3067
crypto map vpn 10 ipsec-isakmp
set peer xx.xx.xx.166
set transform-set vpnset
set pfs group2
match address 113
!
access-list 113 remark VPN
access-list 113 permit ip 192.168.175.0 0.0.0.255 10.115.152.0 0.0.0.255
interface FastEthernet4.3067
ip address x.x.x.78 255.255.255.252
ip nat outside
crypto map vpn
access-list 100 remark NAT
access-list 100 deny ip 192.168.175.0 0.0.0.255 10.115.152.0 0.0.0.255
access-list 100 permit ip 192.168.175.0 0.0.0.255 any
thanks for advice!
Solved! Go to Solution.
08-16-2017 06:29 AM
Hi,
It seems UDP 500 port is blocked between the two devices.
Regards,
Aditya
Please rate helpful and mark correct answers
08-16-2017 06:29 AM
Hi,
It seems UDP 500 port is blocked between the two devices.
Regards,
Aditya
Please rate helpful and mark correct answers
08-22-2017 02:35 AM - edited 08-22-2017 02:38 AM
08-22-2017 02:37 AM
08-16-2017 08:48 AM
Try to check your routes on both devices. You might want to have a static route for the interesting traffics pointing to the outside interface even though you may have a default route. And make sure you also have a routes to your inside network from each device.
08-22-2017 02:39 AM
no problem with routes, we ping each other and inside routes are ok!
08-22-2017 02:44 AM
for 2 mins it was on MSG3 but then goes back to MSG2
# sh isakmp sa detail
7 IKE Peer: x.x.x.78
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0
in debug still bug of
Aug 22 11:41:28 [IKEv1 DEBUG]IP = x.x.x.78, IKE MM Initiator FSM error history (struct &0x00007fff9e3eb380) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
# ping x.x.x.78
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.78, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 110/120/130 ms
#
08-22-2017 05:48 AM
ok solved, problem was on the router side, there was na PAT for port 500 to another device. So that was a reason why ASA doesnt have reponse.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide