Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L appears as type: user (with MM_WAIT_MSG2)

Hi all,

I've checked and double-checked everything. This is a duplicate (ip and ACLs changed to protect the innocent) of another situation which works fine. But this one does not.

I can't get any debug info on the 2821 side (?) but right-now I'm concerned that when I do try and bring it up from the ASA it appears in "sh cryp isa sa" as type: user (with State: MM_WAIT_MSG2) in stead of type: L2L

The packet-tracer on the ASA falls down at:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP


Additional Information:

Forward Flow based lookup yields rule:

out id=0x4a38e38, priority=70, domain=encrypt, deny=false

hits=2, user_data=0x0, cs_id=0x4bbabd0, reverse, flags=0x0, protocol=0

src ip=, mask=, port=0

dst ip=, mask=, port=0


input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Here is some config - I can definitely send through more if it helps to help me. Below is a bit.

crypto map VPN 40 match address CRYPTO-LONDON

crypto map VPN 40 set peer ip.ip.ip.ip

crypto map VPN 40 set transform-set ESP-AES-256-SHA

tunnel-group ip.ip.ip.ip type ipsec-l2l

tunnel-group ip.ip.ip.ip ipsec-attributes

pre-shared-key *

Really, really appreciate any help.



New Member

Re: L2L appears as type: user (with MM_WAIT_MSG2)

Don't worry ... I'm just over tired and even though I checked and double-checked everything, after a night's sleep ... Yes I DID make a stupid config error on the 2821 IOS

I'll close this.

CreatePlease to create content