Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast -VXLAN BGP EVPNt
287
Views
0
Helpful
2
Replies
Highlighted
NPTsIT
NPTsIT Beginner
Beginner
‎12-05-2018 10:50 AM
‎12-05-2018 10:50 AM

Site-to-Site VPN stuck at MM_WAIT_MSG4

EDIT: Thanks for the help! I fixed the configuration and all has been fixed.

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
RJI
VIP Advocate RJI VIP Advocate
VIP Advocate
‎12-05-2018 02:57 PM
‎12-05-2018 02:57 PM

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
0 Helpful
Reply
2 REPLIES 2
RJI
VIP Advocate RJI VIP Advocate
VIP Advocate
‎12-05-2018 02:57 PM
‎12-05-2018 02:57 PM

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
0 Helpful
Reply
RJI
VIP Advocate RJI VIP Advocate
VIP Advocate
‎12-05-2018 03:02 PM
‎12-05-2018 03:02 PM

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,

My first reply was marked as spam for some reason!

 

The configuration of the crypto maps are different, you need to make sure they match. I'd recommend removing "ikev1 phase1-mode aggressive" command from the FW2 firewall and add "pfs" to the FW1 configuration.

 

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

 

HTH

0 Helpful
Reply
Latest Contents
Vpn any connect
Created by XiaoRen140601 on 05-20-2019 11:06 AM
0
0
0
0
  
Juno Email Customer Service Contact Number (West Virginia)
Created by MariaLena5782 on 05-17-2019 03:10 AM
0
0
0
0
Juno is one of the best platforms for web services provider in the whole world. Juno is the internet service provider in the United States and renowned about its value-priced facility. Juno also offers its emailing feature that is one of the best mailing ... view more
ISE BYOD Endpoint notes
Created by howon on 05-15-2019 11:19 PM
0
0
0
0
  This document is to provide any changes made to endpoint OS that impacts BYOD flow for end users.   Prior to troubleshooting endpoint issues, please follow these steps first: Update OS finger printing DB on ISE: This is done by going to Adm... view more
Release Note, April 2019: Updated Privacy Data Sheet
Created by andhsieh on 05-15-2019 11:51 AM
0
0
0
0
After the migration of the production infrastructure to Amazon Web Services, we updated the Privacy Data Sheet that describes the types of data and purpose of processing.
Cisco Response to Fxmsp Hacking Claims
Created by mor@cisco.com on 05-14-2019 01:14 PM
0
0
0
0
"Cisco is aware of the recent Fxmsp hacking claims and confirmed we are not among the vendors named. At this time, we are not aware of additional information that links Cisco products to source code or assets involved in this issue, including Cisco AMP an... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad

Ask the Expert French- routing protocols