cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
71184
Views
15
Helpful
11
Replies

VPN not coming up MM_NO_STATE

ALIAOF_
Level 6
Level 6

I have a VPN setup between 851 and 7301 router and all of a sudden it is not working.  No changes have been made to the network, I tried to clear the crypto on both ends even rebooted the remote router and still nothing.  I did however notice that when I reboot the 851 router I get an error message towards the end "configuration failed" and then I can log into it.

Any chance that there might be an issue with the router because all I am getting is "MM_NO_STATE" on both ends when I do "show crypto isakmp sa"

1 Accepted Solution

Accepted Solutions

The debug output will tell us exactly where in Main mode it's failing, as there will be 6 packets exchanges in Main Mode.

View solution in original post

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

MM_NO_STATE means that the VPN phase 1 (ISAKMP) is not even negotiated.

As per your description, there is configuration fails in your 851 router, so you might want to check the configuration first to make sure that all the VPN related configuration is still there.

Can you pls post the config from both routers so we can check to confirm. Thanks.

Thank you for the reply I understand about phase 1 not even going through however what I am trying to understand is why its not going through as nothing on our side has changed.  The only thing different I am seeing is the "configuration failed" error when the 851 boots up right before the login prompt.

I have checked the configs on both ends and they match:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 abcdefghi address ip_address

crypto isakmp keepalive 60

crypto isakmp nat keepalive 120

!

crypto ipsec security-association lifetime kilobytes 536870912

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set l2l esp-3des esp-md5-hmac

!

crypto map l2l-rem 1 ipsec-isakmp

set peer ip_address

set transform-set l2l

match address crypto_address

and the crypto map is applied to the outside interface?

Can you please run "debug cry isa" and "debug cry ipsec" to see where it's failing.

That is correct yes its applied to the outside interface.

It is failing at the main mode negotiations.  When I run wireshark I only see the main mode traffic coming through on 500 and that is it.

The debug output will tell us exactly where in Main mode it's failing, as there will be 6 packets exchanges in Main Mode.

I will get that tomorrow, can't access the router right now for some reason looks like they took the phone line out so I can't dial into it.

Just to update on this, issue was resolved.  Our VPN router was sitting behind customers firewall and apparently that firewall had some issues.  They rebooted their firewall and everything worked after that.

Great, and thanks for the update.

Pls kindly mark this post as answered so others can follow your thinking (looking at other firewall that might be causing the issue). Thank you.

It won't let me click on correct

acontractor
Level 1
Level 1

I had the same problem.  It showed MM_NO_STATE and debug showed no phase 1 proposal chosen.  We verified everything, both sides matched configuration wise.  The problem was the pre-shared key was long, and we cut down few characters and everything came up smooth.

As a test to verify that passphrase length was a possible issue, I made the passphrase 1 character longer and verified it was the same on both ends. I waited a few minutes and the tunnel was still in an MM_NO_STATE.  I then made the passphrase about 10 characters shorter, and the state went to QM_IDLE almost immediately followed by tunnels up.

 

Thanks for the post!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: