大佬们，求问5515X IPsec问题

yangyr · ‎10-25-2019

目前有两台ASA建立了IPsec L2L VPN。
之前都是好的，后来总部的ASA重启了，导致跟其他分支机构的VPN全部链接不上了.
show cry isakmp sa
状态卡在：
1 IKE Peer: xxx
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
debug crypto isakmp 显示：
IPSEC(crypto_map_check)-1: Error: No crypto map matched.
有没有大佬知道是什么原因导致的相关问题啊？或者有没有大佬遇见过相同问题呀？
重启后设备配置没丢。

robortlin · ‎10-26-2019

你是否可以Ping 通分部 IP. 如果分部是动态的IP 需要分部先发起流量

Rockyw · ‎10-28-2019

楼主参考一下看看
MM_WAIT_MSG3 Receiver Receiver is sending back its IKE policy to the initiator. Initiator sends encr/hash/dh ike policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from its peer. Hang ups here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.
上述信息来源：ISAKMP (IKE Phase 1) Status Messages MM_WAIT_MSG#
https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/
下面这一篇文档也可以参考一下
Cisco ASA VPN to Cisco Router "MM_WAIT_MSG3“
https://www.petenetlive.com/KB/Article/0001531

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

Rockyw · ‎10-28-2019

MM_WAIT_MSG3 (Responder)
The Responding peer has responded with message two and will be stuck in a MM_WAIT_MSG3 state. This should rarely happen because if Message 2 was sent back to the peer, then the initiating peer should be able to respond with Message 3. This can happen for a few reasons but the most common is ISP issues. This can be the route back to the initiating peer or UDP 500 could be blocked from the Responding Peer to the Initiating Peer on their edge. Have the Peer with this message check that UDP 500 is allowed from their environment and that they are not having any routing issues back to the Initiating peer.
信息来源：ISAKMP (IKE Phase 1) Status Messages MM_WAIT_MSG
https://www.thinknetsec.com/isakmp-ike-phase-1-status-messages-mm_wait_msg/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

yangyr · ‎10-28-2019

Rocky 发表于 2019-10-28 22:55
MM_WAIT_MSG3 (Responder)
The Responding peer has responded with message two and will be stuck in a ...

谢谢大佬，这些我都搜过了。。
但问题是我能放的都放了，端口也放了，还是不行。

Rockyw · ‎10-29-2019

yangyurun2015 发表于 2019-10-29 10:34
谢谢大佬，这些我都搜过了。。
但问题是我能放的都放了，端口也放了，还是不行。

放了端口后还是这个错误吗？我回复中思科ASA跟路由器建VPN的那个文档看过没有？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

Mansur · ‎10-29-2019

No crypto map matched.
没匹配，检查下感兴趣流的配置，以及对应的no nat策略

Rockyw · ‎10-30-2019

下面这篇文档有没有看过了
Cisco ASA 5505 Site to Site VPN Not Establishing a Tunnel
https://www.experts-exchange.com/questions/29070098/Cisco-ASA-5505-Site-to-Site-VPN-Not-Establishing-a-Tunnel.html
两边的时间一致不一致？

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

yangyr · ‎10-31-2019

Rocky 发表于 2019-10-29 15:42
放了端口后还是这个错误吗？我回复中思科ASA跟路由器建VPN的那个文档看过没有？

大佬你好，谢谢你的答复。你给的文档我都看过了，在我发帖前也都是谷歌搜出来看过，但好像并未解决问题:'(。谢谢你。

yangyr · ‎10-31-2019

Rocky 发表于 2019-10-30 23:09
下面这篇文档有没有看过了
Cisco ASA 5505 Site to Site VPN Not Establishing a Tunnel
https://www.exp ...

这篇文章，我之前也都搜到了。。。。时间一致的。
所以现在这个现象很神奇，我都在考虑要不要换设备试试了。

Rockyw · ‎10-31-2019

yangyurun2015 发表于 2019-10-31 21:11
这篇文章，我之前也都搜到了。。。。时间一致的。
所以现在这个现象很神奇，我都在考虑要不要换设备试试 ...

两边都是MM_WAIT_MSG3 这个错误吗？我看到文档说，也有可能是ISP的问题。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

yangyr · ‎11-01-2019

Rocky 发表于 2019-10-31 22:19
两边都是MM_WAIT_MSG3 这个错误吗？我看到文档说，也有可能是ISP的问题。

总部这边是MSG3 分支是MSG2。
好像是总部这边无法给分支做加密的数据流回复。
因为我用模拟器相同配置下，模拟器都正常。:L
所以决定换设备试试看。