cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
31470
Views
15
Helpful
11
Replies
Frequent Contributor

VPN not coming up MM_NO_STATE

I have a VPN setup between 851 and 7301 router and all of a sudden it is not working.  No changes have been made to the network, I tried to clear the crypto on both ends even rebooted the remote router and still nothing.  I did however notice that when I reboot the 851 router I get an error message towards the end "configuration failed" and then I can log into it.

Any chance that there might be an issue with the router because all I am getting is "MM_NO_STATE" on both ends when I do "show crypto isakmp sa"

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN not coming up MM_NO_STATE

The debug output will tell us exactly where in Main mode it's failing, as there will be 6 packets exchanges in Main Mode.

11 REPLIES 11
Cisco Employee

Re: VPN not coming up MM_NO_STATE

MM_NO_STATE means that the VPN phase 1 (ISAKMP) is not even negotiated.

As per your description, there is configuration fails in your 851 router, so you might want to check the configuration first to make sure that all the VPN related configuration is still there.

Can you pls post the config from both routers so we can check to confirm. Thanks.

Frequent Contributor

Re: VPN not coming up MM_NO_STATE

Thank you for the reply I understand about phase 1 not even going through however what I am trying to understand is why its not going through as nothing on our side has changed.  The only thing different I am seeing is the "configuration failed" error when the 851 boots up right before the login prompt.

I have checked the configs on both ends and they match:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 abcdefghi address ip_address

crypto isakmp keepalive 60

crypto isakmp nat keepalive 120

!

crypto ipsec security-association lifetime kilobytes 536870912

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set l2l esp-3des esp-md5-hmac

!

crypto map l2l-rem 1 ipsec-isakmp

set peer ip_address

set transform-set l2l

match address crypto_address

Cisco Employee

Re: VPN not coming up MM_NO_STATE

and the crypto map is applied to the outside interface?

Can you please run "debug cry isa" and "debug cry ipsec" to see where it's failing.

Frequent Contributor

Re: VPN not coming up MM_NO_STATE

That is correct yes its applied to the outside interface.

It is failing at the main mode negotiations.  When I run wireshark I only see the main mode traffic coming through on 500 and that is it.

Cisco Employee

Re: VPN not coming up MM_NO_STATE

The debug output will tell us exactly where in Main mode it's failing, as there will be 6 packets exchanges in Main Mode.

Frequent Contributor

Re: VPN not coming up MM_NO_STATE

I will get that tomorrow, can't access the router right now for some reason looks like they took the phone line out so I can't dial into it.

Frequent Contributor

Re: VPN not coming up MM_NO_STATE

Just to update on this, issue was resolved.  Our VPN router was sitting behind customers firewall and apparently that firewall had some issues.  They rebooted their firewall and everything worked after that.

Cisco Employee

Re: VPN not coming up MM_NO_STATE

Great, and thanks for the update.

Pls kindly mark this post as answered so others can follow your thinking (looking at other firewall that might be causing the issue). Thank you.

Frequent Contributor

Re: VPN not coming up MM_NO_STATE

It won't let me click on correct

Beginner

I had the same problem.  It

I had the same problem.  It showed MM_NO_STATE and debug showed no phase 1 proposal chosen.  We verified everything, both sides matched configuration wise.  The problem was the pre-shared key was long, and we cut down few characters and everything came up smooth.

Highlighted
Contributor

Re: I had the same problem.  It

As a test to verify that passphrase length was a possible issue, I made the passphrase 1 character longer and verified it was the same on both ends. I waited a few minutes and the tunnel was still in an MM_NO_STATE.  I then made the passphrase about 10 characters shorter, and the state went to QM_IDLE almost immediately followed by tunnels up.

 

Thanks for the post!