Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
5
Helpful
2
Replies

ISPEC Ikev1 stuck on MM_SA_SETUP

CiscoPurpleBelt
Level 6
Level 6

‎05-21-2020 09:36 AM

So on the responder I see it gets to IKE_R_MM2 and keeps retransmiiting on the phase 1 MM_SA_SETUP.

 

Now given it makes it to this stage, suspect there may be a unidirectional routing issue through the WAN/tranpsort perhaps? There obviously is certain reachability if the responder receives packets. What else can I try and look for or do to confirm this? I know traceroute makes it up to provider FW next to our equiipment but never completes, nor are pings successful. Any help?

0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎05-21-2020 12:31 PM

Hello,

 

what firewall is that ? Do you have the configuration ? Check if UDP port 500 is allowed through the firewall...

CiscoPurpleBelt
Level 6
Level 6
In response to Georg Pauwen

‎05-21-2020 04:03 PM - edited ‎05-21-2020 04:04 PM

Its not a FW its a ISR. Yes UDP500 and ESP are allowed.

Wouldn't it fail first at MM1 if UDP500 or ESP50 were not allowed or there was no reachability what so ever or no?

I confirm and see some UDP both ways on both the ingress/egress interface of my FW that basically sits in between the two tunnel router endpoints. There does not seem to be much as much traffic from both the routers however compared to working tunnels.
No I can't put the configs on here but it is basically pretty standard and the same on both devices.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card