Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

We're stucked at MM_KEY_EXCH

Hi,

We don't know what to do now. We're stucked at MM_Key_Exch. What should we check? Thanks.

Regards,

John

6 REPLIES
Gold

Re: We're stucked at MM_KEY_EXCH

have you double checked your preshared keys?

Re: We're stucked at MM_KEY_EXCH

Thanks for the reply. Yes we already checked it. We even configured our pre-shared key to a very simple one to avoid mistake. Thanks.

Regards,

John

Re: We're stucked at MM_KEY_EXCH

I'm also wondering right now because suddenly, ISAKMP session stopped. I tried to erase the crypto map that corresponds to that tunnel and re-apply it again. Now, I don't even see my PIX firewall initiating Phase 1 session. What should I check again? Should I see my PIX firewall doing Phase 1 even if he configured something on his end that prevents me from initiating it?

Regards,

John

Re: We're stucked at MM_KEY_EXCH

Hi,

For anyone who can help me, here's my configuration.

Interesting traffic:

access-list test permit ip 10.252.4.0 255.255.255.0 10.254.0.0 255.255.0.0

ISAKMP Policy:

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash md5

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

Crypto Maps:

crypto map outside 90 ipsec-isakmp

crypto map outside 90 match address test

crypto map outside 90 set pfs group2

crypto map outside 90 set peer x.x.x.x

crypto map outside 90 set transform-set testing

crypto ipsec transform-set testing esp-3des esp-md5-hmac

crypto map outside interface outside

Pre-shared key:

isakmp key secret address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

For translation:

global (outside) 12 10.252.4.250

nat (inside) 12 10.252.1.250 255.255.255.255 0 0

I can see the access-list test being hit but the PIX firewall doesn't initiate the connection. Please help.

Regards,

John

New Member

Re: We're stucked at MM_KEY_EXCH

Hi

I see your NAT statements have 12, have you got any others that could be NATTING the 10.252.4.0/24 network?

Also check the isakmp polcies on both routers.

Can you doa bedug of isakmp?

Re: We're stucked at MM_KEY_EXCH

Hi John,

 

Wondering if you got this fixed ...

 

Thanks 

 

~EM

15159
Views
0
Helpful
6
Replies
CreatePlease login to create content