Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa 5510 asdm 5.2 site to site vpn action-drop

Hi all,

I've been searching a while to solve the following issue. I need to setup a site-to-site vpn connection with an external company, they use a Juniper firewall, and are able to set up te vpn with us. But data should be send from us to them so when we try to setup a connection (tested it by pinging from a desktop to the external company) the tunnel isn't comming up.

when I run the "show crypto isakmp" command I get "mm_wait_msg2" and when I run it in the asdm packet tracer the package goes to the vpn but it is beiing dropped then, it says "type-vpn, subtype-encrypt, action-drop".

Does anyone has an idea? thx!

Result of the command: "show running-config isakmp"

crypto isakmp enable WAN

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

Result of the command: "show running-config ipsec"

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

Result of the command: "show crypto isakmp"

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 95.130.40.116

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 14

In Octets: 13804

In Packets: 67

In Drop Packets: 24

In Notifys: 0

In P2 Exchanges: 1

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 1

In P2 Sa Delete Requests: 0

Out Octets: 1035292

Out Packets: 6931

Out Drop Packets: 15

Out Notifys: 25

Out P2 Exchanges: 15

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 1711

Initiator Fails: 1697

Responder Fails: 16

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 8

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

Everyone's tags (7)
1 REPLY
Cisco Employee

asa 5510 asdm 5.2 site to site vpn action-drop

"MM_WAIT_MSG2" basically means that you did initiate the tunnel, and there is no reply from the Juniper end.

A couple of issue:

- Do you have any firewall/acl etc in front of this ASA that might be blocking the traffic? Phase 1 uses UDP/500

- There could be firewall/acl in front of the Juniper firewall that might be blocking the traffic

- Juniper end might not have been configured yet to accept the VPN tunnel.

2779
Views
0
Helpful
1
Replies
CreatePlease to create content