Solved: Site-to-Site VPN stuck at MM_WAIT_MSG4

NPTsIT · ‎12-05-2018

EDIT: Thanks for the help! I fixed the configuration and all has been fixed.

RJI · ‎12-05-2018

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH

RJI · ‎12-05-2018

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH

RJI · ‎12-05-2018

Hi,

My first reply was marked as spam for some reason!

The configuration of the crypto maps are different, you need to make sure they match. I'd recommend removing "ikev1 phase1-mode aggressive" command from the FW2 firewall and add "pfs" to the FW1 configuration.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

HTH

Site-to-Site VPN stuck at MM_WAIT_MSG4

Site-to-Site VPN stuck at MM_WAIT_MSG4

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4