Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3016
Views
0
Helpful
1
Replies

asa 5510 asdm 5.2 site to site vpn action-drop

JeroenUSF
Level 1
Level 1

‎06-19-2012 04:32 AM

Hi all,

I've been searching a while to solve the following issue. I need to setup a site-to-site vpn connection with an external company, they use a Juniper firewall, and are able to set up te vpn with us. But data should be send from us to them so when we try to setup a connection (tested it by pinging from a desktop to the external company) the tunnel isn't comming up.

when I run the "show crypto isakmp" command I get "mm_wait_msg2" and when I run it in the asdm packet tracer the package goes to the vpn but it is beiing dropped then, it says "type-vpn, subtype-encrypt, action-drop".

Does anyone has an idea? thx!

Result of the command: "show running-config isakmp"

crypto isakmp enable WAN

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

Result of the command: "show running-config ipsec"

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

Result of the command: "show crypto isakmp"

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 95.130.40.116

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 14

In Octets: 13804

In Packets: 67

In Drop Packets: 24

In Notifys: 0

In P2 Exchanges: 1

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 1

In P2 Sa Delete Requests: 0

Out Octets: 1035292

Out Packets: 6931

Out Drop Packets: 15

Out Notifys: 25

Out P2 Exchanges: 15

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 1711

Initiator Fails: 1697

Responder Fails: 16

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 8

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-19-2012 05:22 AM

"MM_WAIT_MSG2" basically means that you did initiate the tunnel, and there is no reply from the Juniper end.

A couple of issue:

- Do you have any firewall/acl etc in front of this ASA that might be blocking the traffic? Phase 1 uses UDP/500

- There could be firewall/acl in front of the Juniper firewall that might be blocking the traffic

- Juniper end might not have been configured yet to accept the VPN tunnel.

0 Helpful
Customers Also Viewed These Support Documents