Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2934
Views
0
Helpful
2
Replies

Site-to-Site VPN stuck at MM_WAIT_MSG4

Go to solution
NPTsIT
Level 1
Level 1

‎12-05-2018 10:50 AM - edited ‎12-06-2018 10:11 AM

EDIT: Thanks for the help! I fixed the configuration and all has been fixed.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-05-2018 02:57 PM

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎12-05-2018 02:57 PM

Hi,
On FW2 you've configured the crypto map sequence number 11, is this the correct VPN sequence for FW1 peer? If so you've configured "pfs" and "ikev1 phase-mode aggressive" under this crypto-map on FW2 but you don't have the same configured on FW1.

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

These attributes need to match on both Firewalls. I'd recommend not using aggressive-mode at all

HTH
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-05-2018 03:02 PM

Hi,

My first reply was marked as spam for some reason!

 

The configuration of the crypto maps are different, you need to make sure they match. I'd recommend removing "ikev1 phase1-mode aggressive" command from the FW2 firewall and add "pfs" to the FW1 configuration.

 

FW1
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside_map 1 set ikev1 transform-set AES-256-SHA
crypto map outside_map interface outside

FW2
crypto map outside_map 11 match address management_cryptomap_2
crypto map outside_map 11 set pfs
crypto map outside_map 11 set peer cc.cc.cc.cc
crypto map outside_map 11 set ikev1 phase1-mode aggressive
crypto map outside_map 11 set ikev1 transform-set AES-256-SHA

 

HTH

0 Helpful
Customers Also Viewed These Support Documents