topic Re: ASA to Draytek IPSEC S2S tunnel stuck in MM_WAIT_MSG2 in Network Security

ASA to Draytek IPSEC S2S tunnel stuck in MM_WAIT_MSG2

Prashobcv93 — Thu, 17 Dec 2020 12:04:31 GMT

I have configured a VPN site to site IPSEC tunnel from ASA to Draytek with IKEv1 and PFS disabled but Phase 1 stuck in MM_WAIT_MSG2.

Phase 1 and 2 configs are identical and cross-verified multiple times.

What can be the issue?

Phase 1 policy used:

crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

Phase 2 setup:
crypto map SME_ASAv_Ext_map1 <> match address <Cryptop Map>
crypto map SME_ASAv_Ext_map1 <> set peer <Peer IP>
crypto map SME_ASAv_Ext_map1 <> set ikev1 transform-set ESP-AES-256-SHA
crypto map SME_ASAv_Ext_map1 <> set security-association lifetime seconds 3600
crypto map SME_ASAv_Ext_map1 <> set reverse-route

Re: ASA to Draytek IPSEC S2S tunnel stuck in MM_WAIT_MSG2

Prashobcv93 — Thu, 17 Dec 2020 12:02:32 GMT

Logs don't provide much info.

IKE initiator New Phase 1.

Re: ASA to Draytek IPSEC S2S tunnel stuck in MM_WAIT_MSG2

Rob Ingram — Thu, 17 Dec 2020 12:09:55 GMT

Hi @Prashobcv93

I am not familar with Draytek firewalls/routers, but on image PJH 02.jpg you have the value "Call direction" both/dial-out/dial-in with dial-out selected. I assume that relates to which side can initate the tunnel? In which case only traffic initated from the draytek network can start the tunnel. Change it to "both" and test again.

Re: ASA to Draytek IPSEC S2S tunnel stuck in MM_WAIT_MSG2

Prashobcv93 — Thu, 17 Dec 2020 12:13:49 GMT

Hi Rob,

I tried with Call direction as Dial-Out and Both but no luck.

Re: ASA to Draytek IPSEC S2S tunnel stuck in MM_WAIT_MSG2

Rob Ingram — Thu, 17 Dec 2020 12:20:15 GMT

The error message you received on the ASA "MM_WAIT_MSG2" confirms the ASA is the initiator and is waiting to hear back from the peer (draytek). So if the draytek was set to "dial-out" when these logs were generated, that would explain why the ASA is waiting to hear back and not getting a response.

Set to "both" on the draytek, turn on the debug logs from the CLI, generate some traffic to establish the tunnel. Provide the output of the debug for review, a screenshot from ASDM is not sufficient.