Cisco Community
English
Register
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Blog- Changes on Community Labels
144
Views
0
Helpful
2
Replies
Highlighted
NPTsIT
NPTsIT Beginner
Beginner
‎12-05-2018 10:50 AM
‎12-05-2018 10:50 AM

Site-to-Site VPN stuck at MM_WAIT_MSG4

EDIT: Thanks for the help! I fixed the configuration and all has been fixed.

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
RJI
VIP Engager RJI VIP Engager
VIP Engager
‎12-05-2018 02:57 PM
‎12-05-2018 02:57 PM

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
0 Helpful
Reply
2 REPLIES
RJI
VIP Engager RJI VIP Engager
VIP Engager
‎12-05-2018 02:57 PM
‎12-05-2018 02:57 PM

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
0 Helpful
Reply
RJI
VIP Engager RJI VIP Engager
VIP Engager
‎12-05-2018 03:02 PM
‎12-05-2018 03:02 PM

Re: Site-to-Site VPN stuck at MM_WAIT_MSG4

Hi,

My first reply was marked as spam for some reason!

 

The configuration of the crypto maps are different, you need to make sure they match. I'd recommend removing "ikev1 phase1-mode aggressive" command from the FW2 firewall and add "pfs" to the FW1 configuration.

 

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

 

HTH

0 Helpful
Reply
Latest Contents
Getting Started with AMP for Endpoints
Created by ashherri on 02-15-2019 12:13 PM
0
0
0
0
  Just getting started with AMP for Endpoints? If so, make sure to check out this video featuring John Dominguez with the Cisco Security Team. In this video, John introduces you to Cisco’s Advanced Malware Protection (AMP) for Endpoints that is a n... view more
Getting Started with AMP For Endpoints
Created by ashherri on 02-15-2019 12:07 PM
0
0
0
0
  Just getting started with AMP for Endpoints? If so, make sure to check out this video featuring John Dominguez with the Cisco Security Team. In this video, John introduces you to Cisco’s Advanced Malware Protection (AMP) for Endpoints that is a ne... view more
ISE Portal Builder General overlay scripts
Created by Jason Kunst on 02-13-2019 10:54 AM
0
0
0
0
This document lists some options you have to insert script after implementing a portal using portal builder Implement guest portal using SAML SSO provider button This allows you to point your ISE Portal builder portal to a page configured for SAML SSO lo... view more
ISE Portal Support Page MAC Address as a QR Code
Created by Jason Kunst on 02-12-2019 07:57 AM
0
0
0
0
Symptoms I would like to present the MAC address for a device on-boarding flow as a QR code on support page.   Diagnosis This can be done utilizing a custom .js script embedded into the support page.  Solution For general information on po... view more
Quick Start Guide for Cisco Threat Response and Umbrella
Created by diddly on 02-11-2019 01:28 PM
0
0
0
0
 Here is a getting started guide for Cisco Threat Response and Umbrella
CreatePlease to create content
Discussion
Blog
Document
Video

Blog-Cisco Community Designated VIP Dinner CLEUR2019