I have a VPN setup between 851 and 7301 router and all of a sudden it is not working. No changes have been made to the network, I tried to clear the crypto on both ends even rebooted the remote router and still nothing. I did however notice that when I reboot the 851 router I get an error message towards the end "configuration failed" and then I can log into it.
Any chance that there might be an issue with the router because all I am getting is "MM_NO_STATE" on both ends when I do "show crypto isakmp sa"
Solved! Go to Solution.
MM_NO_STATE means that the VPN phase 1 (ISAKMP) is not even negotiated.
As per your description, there is configuration fails in your 851 router, so you might want to check the configuration first to make sure that all the VPN related configuration is still there.
Can you pls post the config from both routers so we can check to confirm. Thanks.
Thank you for the reply I understand about phase 1 not even going through however what I am trying to understand is why its not going through as nothing on our side has changed. The only thing different I am seeing is the "configuration failed" error when the 851 boots up right before the login prompt.
I have checked the configs on both ends and they match:
crypto isakmp policy 1
crypto isakmp key 0 abcdefghi address ip_address
crypto isakmp keepalive 60
crypto isakmp nat keepalive 120
crypto ipsec security-association lifetime kilobytes 536870912
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set l2l esp-3des esp-md5-hmac
crypto map l2l-rem 1 ipsec-isakmp
set peer ip_address
set transform-set l2l
match address crypto_address
and the crypto map is applied to the outside interface?
Can you please run "debug cry isa" and "debug cry ipsec" to see where it's failing.
That is correct yes its applied to the outside interface.
It is failing at the main mode negotiations. When I run wireshark I only see the main mode traffic coming through on 500 and that is it.
I will get that tomorrow, can't access the router right now for some reason looks like they took the phone line out so I can't dial into it.
Just to update on this, issue was resolved. Our VPN router was sitting behind customers firewall and apparently that firewall had some issues. They rebooted their firewall and everything worked after that.
Great, and thanks for the update.
Pls kindly mark this post as answered so others can follow your thinking (looking at other firewall that might be causing the issue). Thank you.
I had the same problem. It showed MM_NO_STATE and debug showed no phase 1 proposal chosen. We verified everything, both sides matched configuration wise. The problem was the pre-shared key was long, and we cut down few characters and everything came up smooth.
As a test to verify that passphrase length was a possible issue, I made the passphrase 1 character longer and verified it was the same on both ends. I waited a few minutes and the tunnel was still in an MM_NO_STATE. I then made the passphrase about 10 characters shorter, and the state went to QM_IDLE almost immediately followed by tunnels up.
Thanks for the post!