Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" instead of "L2L" mode

I have a VPN connection from an ASA 5510 to a 3rd Party Checkpoint FW.  Often the tunnel goes down and ISAKMP SA message is:

1   IKE Peer: xxx.xxx.xxx.xxx
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3

This is a L2L tunnel and whatever i do, i cannot restore the tunnel.  Eventually, the tunnel will restore itself.

Any information on what causes this issue and how to prevent or restore the tunnel quickly would be greatly appreciated.

Many thanks,

10 REPLIES
Community Member

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

When the tunnel is up verify it is showing as a L2L tunnel.

Also, try the 'sh crypto ipsec sa detail' command when the tunnel is up and make sure the site to site tunnel is on the correct crypto map.

I have experienced a similar issue where a 3rd party checkpoint was using a private IP, the 3rd party was NAT'd the checkpint private IP, and the private IP was showing up in our crypto map, resulting in the connection being dumped in the 'user dynamic crypto map'.

Community Member

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Trippi,

Thank you for the information provided.  At the moment the tunnel is up and showing as L2L and the tunnel is in the correct crypto map.  I will check the crypto maps when the tunnel is down for the issues you described below.

Many thanks,

Allan

Cisco Employee

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Hi,

This is expected behavior on the ASA. If you run the "debug crypto isakmp 127" on the ASA, you will notice that the tunnel-group on which the connection lands is decided only after the 3rd exchange, that is, until then the ASA does not know what "tunnel group" this particular connection should land on and hence does not know if it's a L2L tunnel or a RA VPN tunnel.

For example, the debugs below:

ASA5505(config)# Jan 19 13:39:49 [IKEv1]: IP = 192.168.1.1, IKE_DECODE RECEIVED
Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VEN
DOR (13) + NONE (0) total length : 188
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing SA payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Oakley proposal is acceptable
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Received NAT-Traversal ver 02 V
ID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Received NAT-Traversal ver 03 V
ID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Received Fragmentation VID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, IKE Peer included IKE fragmenta
tion capability flags:  Main Mode:        True  Aggressive Mode:  True
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing IKE SA payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, IKE SA Proposal # 1, Transform
# 1 acceptable  Matches global IKE entry # 2
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing ISAKMP SA payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing NAT-Traversal VID
ver 02 payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing Fragmentation VID
+ extended capabilities payload
Jan 19 13:39:49 [IKEv1]: IP = 192.168.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length
: 128
Jan 19 13:39:49 [IKEv1]: IP = 192.168.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR
(13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing ke payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing ISA_KE payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing nonce payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Received Cisco Unity client VID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Received xauth V6 VID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Processing VPN3000/ASA spoofing
IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Received Altiga/Cisco VPN3000/C
isco ASA GW VID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing NAT-Discovery payloa
d
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, computing NAT Discovery hash
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, processing NAT-Discovery payloa
d
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, computing NAT Discovery hash
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing ke payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing nonce payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing Cisco Unity VID pa
yload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing xauth V6 VID paylo
ad
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Send IOS VID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Constructing ASA spoofing IOS V
endor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing VID payload
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, Send Altiga/Cisco VPN3000/Cisco
ASA GW VID
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing NAT-Discovery payl
oad
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, computing NAT Discovery hash
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, constructing NAT-Discovery payl
oad
Jan 19 13:39:49 [IKEv1 DEBUG]: IP = 192.168.1.1, computing NAT Discovery hash
Jan 19 13:39:49 [IKEv1]: IP = 192.168.1.1, Connection landed on tunnel_group 192
.168.1.1

Jan 19 13:39:49 [IKEv1 DEBUG]: Group = 192.168.1.1, IP = 192.168.1.1, Generating
keys for Responder...
Jan 19 13:39:49 [IKEv1]: IP = 192.168.1.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (
13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jan 19 13:39:49 [IKEv1]: IP = 192.168.1.1, IKE_DECODE RECEIVED Message (msgid=0)
with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + N
ONE (0) total length : 96

If you see the bolded message, only after the ASA receives the 3rd exchange when it is a responder does it decide the tunnel-group and hence decided that it is going to be a L2L tunnel. Until this, the ASA shows the tunnel type as "User" in the output of "show crypto isakmp sa". It is not a problem of any kind unless you see the state does not change to L2L even after the tunnel comes up successfully.

Hope that clears things out.

regards,

Prapanch

Community Member

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Prapanch,

That clears up the user/L2L issue.  Thanks.

Only thing in need to figure out now is, why is the 3rd exchange not taking place.

Regards,

Allan

Cisco Employee

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Allan,

Do we have the debugs or logs from that time? It looks like the ASA kept waiting for the checkpoint to reply with the 3rd exchange. The reason for that could have been the 2nd excahnge (packet from ASA to checkpoint) never reached the checkpoint. We can confirm this with some for of captures/debugs on the checkpoint. Anyway, we can always check this the next time it happens (if it happens)

Regards,

Prapanch

Community Member

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Prapanch,

Unfortunately the logs have been deleted.  The next time it happens i'll be looking for packet exchange issues between the ASA and the checkpoint.

Thank you for your help.

Regards,

Allan

Community Member

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Prapanch,

It took sometime but it finally happened again. 

ASA5510# Sep 08 16:24:12 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:12 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:12 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:24:16 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:16 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:16 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE MM Responder FSM error history (struct &0xd7e75728)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent
Sep 08 16:24:16 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA MM:3efc4bce terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Sep 08 16:24:16 [IKEv1 DEBUG]: IP = 192.168.251.8, sending delete/delete with reason message
Sep 08 16:24:16 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:24:20 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 132
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, processing SA payload
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, Oakley proposal is acceptable
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, processing VID payload
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, processing IKE SA payload
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing ISAKMP SA payload
Sep 08 16:24:20 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing Fragmentation VID + extended capabilities payload
Sep 08 16:24:20 [IKEv1]: IP = 192.168.251.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:20 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:24:24 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:24 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:24 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:28 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 132
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, processing SA payload
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, Oakley proposal is acceptable
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, processing VID payload
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, processing IKE SA payload
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing ISAKMP SA payload
Sep 08 16:24:28 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing Fragmentation VID + extended capabilities payload
Sep 08 16:24:28 [IKEv1]: IP = 192.168.251.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:30 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:30 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:30 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:32 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:32 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:32 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:32 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:34 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:34 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:34 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:36 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:36 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:36 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE MM Responder FSM error history (struct &0xd82e1fe0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent
Sep 08 16:24:36 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA MM:e7222d40 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Sep 08 16:24:36 [IKEv1 DEBUG]: IP = 192.168.251.8, sending delete/delete with reason message
Sep 08 16:24:38 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 132
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, processing SA payload
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, Oakley proposal is acceptable
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, processing VID payload
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, processing IKE SA payload
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing ISAKMP SA payload
Sep 08 16:24:38 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing Fragmentation VID + extended capabilities payload
Sep 08 16:24:38 [IKEv1]: IP = 192.168.251.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:40 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:40 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:40 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:40 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:44 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:44 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:44 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:48 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:48 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:48 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:24:48 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE MM Responder FSM error history (struct &0xd7e75728)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Sep 08 16:24:48 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA MM:2b3a521d terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Sep 08 16:24:48 [IKEv1 DEBUG]: IP = 192.168.251.8, sending delete/delete with reason message
Sep 08 16:24:52 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:24:52 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:24:52 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE MM Responder FSM error history (struct &0xd82e1fe0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent
Sep 08 16:24:52 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA MM:a344c262 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Sep 08 16:24:52 [IKEv1 DEBUG]: IP = 192.168.251.8, sending delete/delete with reason message
Sep 08 16:24:56 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 132
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, processing SA payload
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, Oakley proposal is acceptable
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, processing VID payload
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, processing IKE SA payload
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing ISAKMP SA payload
Sep 08 16:24:56 [IKEv1 DEBUG]: IP = 192.168.251.8, constructing Fragmentation VID + extended capabilities payload
Sep 08 16:24:56 [IKEv1]: IP = 192.168.251.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:25:00 [IKEv1]: IP = 192.168.251.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Sep 08 16:25:00 [IKEv1]: IP = 192.168.251.8, P1 Retransmit msg dispatched to MM FSM
Sep 08 16:25:00 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:04 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:06 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
noSep 08 16:25:07 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
cSep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
rSep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:08 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
ySep 08 16:25:09 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping       Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping        Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping          Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:10 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping       Sep 08 16:25:11 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:11 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
dSep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping
Sep 08 16:25:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping      

I have checked with the Checkpoint admin and they are recieving nothing from our ASA.  How can we check that the 2nd exchange message is getting through?

Many thanks,

Allan

Cisco Employee

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

It is interesting that the ASA is the responder and is receiving the following message:

Sep 08 16:24:12 [IKEv1]: IP = 192.168.251.8, Received encrypted packet with no matching SA, dropping

If this is the address of the Checkpoint, it seems to indicate that the Checkpoint thinks the tunnel is still up and is encrypting packets with the SA that was built before. Could you check to see if the Checkpoint thinks this tunnel is still up?

Do you have any debugs from the minutes before the issue happened, so we can see why the ASA tore down the tunnel? Does it seem to correspond with your Isakmp or IPSec rekey lifetimes (for instance does it occur when Checkpoint initiates a rekey, or happen at about 80% of the configure lifetime or happen less frequently if you increase the lifetimes).

Cisco Employee

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

Hey Allan,

You can apply captures on the ASA's outside interface between it's IP address and the checkpoint's ip address and vice versa. That way you should be able to see the packets coming in and going out of the firewall. Again, based on the debugs, it looks like the 2nd packet from ASA is not reaching the firewall at all. captures should help us iwth this.

https://supportforums.cisco.com/docs/DOC-1222

This document should help you with the captures.

Regards,

prapanch

Community Member

Re: ASA - to - CheckPoint VPN tunnel - MM_WAIT_MSG2 and "User" i

1- What version of Checkpoint?  please provide "fw ver" output?

2- on the checkpoint firewall, are there other VPNs?  Is the VPN between the checkpoint and ASA setup as "simplified mode" or "traditional mode"?

3- ASA to Checkpoint VPN is crapshooting.  It works one day and stop working the next day.  One vendor may not like the other, for example, the VPN tunnel could be working with Checkpoint NGx R65 HFA 60.  Once you apply HFA 70, it stops working, or the other way around.

4- Since Checkpoint NG Feature Pack 3, the default timeout setting for Checkpoint is both Phase I and Phase II is 1440 minutes (86400 seconds) and 3600 seconds, respectively.

5- on the checkpoint firewall (aka enforcement module), perform "vpn debug ikeoff", "vpn debug trunc", "vpn debug ikeon".  That will turn on VPN debug on the checkpoint firewall.  the output is located in the $FWDIR/log/ike.elg file.  Transfer this file back to your local machine and view it with a checkpoint tool called "ikeview.exe" file.  This will tell you exactly why the tunnel failed.

Hope that help.

13456
Views
0
Helpful
10
Replies
CreatePlease to create content