06-19-2012 04:32 AM
Hi all,
I've been searching a while to solve the following issue. I need to setup a site-to-site vpn connection with an external company, they use a Juniper firewall, and are able to set up te vpn with us. But data should be send from us to them so when we try to setup a connection (tested it by pinging from a desktop to the external company) the tunnel isn't comming up.
when I run the "show crypto isakmp" command I get "mm_wait_msg2" and when I run it in the asdm packet tracer the package goes to the vpn but it is beiing dropped then, it says "type-vpn, subtype-encrypt, action-drop".
Does anyone has an idea? thx!
Result of the command: "show running-config isakmp"
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
Result of the command: "show running-config ipsec"
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
Result of the command: "show crypto isakmp"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 95.130.40.116
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 14
In Octets: 13804
In Packets: 67
In Drop Packets: 24
In Notifys: 0
In P2 Exchanges: 1
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 1
In P2 Sa Delete Requests: 0
Out Octets: 1035292
Out Packets: 6931
Out Drop Packets: 15
Out Notifys: 25
Out P2 Exchanges: 15
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 1711
Initiator Fails: 1697
Responder Fails: 16
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 8
Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
06-19-2012 05:22 AM
"MM_WAIT_MSG2" basically means that you did initiate the tunnel, and there is no reply from the Juniper end.
A couple of issue:
- Do you have any firewall/acl etc in front of this ASA that might be blocking the traffic? Phase 1 uses UDP/500
- There could be firewall/acl in front of the Juniper firewall that might be blocking the traffic
- Juniper end might not have been configured yet to accept the VPN tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide