01-25-2019 05:47 AM
We're trying to build an ASA tunnel to a Checkpoint firewall and we keep getting the following:
12 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
What I noticed with the first log message, ASA-5-713041, is that it using the 'inside' interface as per "Intf inside"
Jan 25 2019 05:47:06 asa : %ASA-5-713041: IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X local Proxy Address x.x.x.x, remote Proxy Address x.x.x.x , Crypto map (outsidevpn_map)
Jan 25 2019 05:47:06 asa : %ASA-7-715046: IP = X.X.X.X, constructing ISAKMP SA payload
Jan 25 2019 05:47:06 asa : %ASA-7-715046: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jan 25 2019 05:47:06 asa : %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 536
Jan 25 2019 05:47:06 asa : %ASA-7-609001: Built local-host outside:X.X.X.X
Jan 25 2019 05:47:06 asa : %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=4a160fd6) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Jan 25 2019 05:47:06 asa : %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=4a160fd6) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Jan 25 2019 05:47:06 asa : %ASA-5-713904: IP = X.X.X.X, Received an un-encrypted INVALID_ID_INFO notify message, dropping
Jan 25 2019 05:47:06 asa : %ASA-4-713903: IP = X.X.X.X, Information Exchange processing failed
Could that be the reason why this is failing? Why is it using the inside interface?
Thank you!
LN
01-25-2019 06:40 AM - edited 01-25-2019 06:45 AM
Rekey : no State : MM_WAIT_MSG2
!
MM_WAIT_MSG2 Initiator Initial DH public key sent to responder. Awaiting initial contact replay from the other side. Initiator sends encr/hash/dh ike policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from its peer. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down
does if command is configured for
crypto ikev1/2 enable outside
01-25-2019 09:50 AM
Thank you for the response Sheraz.
I can ping the peer just fine. I'm having them check that ISAKMP v1 is enabled on the outside interface and that they are not blocking UDP 500.
thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide