cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1418
Views
0
Helpful
2
Replies

ASA Site to Site Tunnel to Checkpoint

latenaite2011
Level 4
Level 4

We're trying to build an ASA tunnel to a Checkpoint firewall and we keep getting the following:

 

12 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

 

What I noticed with the first log message, ASA-5-713041, is that it using the 'inside' interface as per "Intf inside"

 

Jan 25 2019 05:47:06 asa : %ASA-5-713041: IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X local Proxy Address x.x.x.x, remote Proxy Address x.x.x.x , Crypto map (outsidevpn_map)
Jan 25 2019 05:47:06 asa : %ASA-7-715046: IP = X.X.X.X, constructing ISAKMP SA payload
Jan 25 2019 05:47:06 asa : %ASA-7-715046: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jan 25 2019 05:47:06 asa : %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 536
Jan 25 2019 05:47:06 asa : %ASA-7-609001: Built local-host outside:X.X.X.X
Jan 25 2019 05:47:06 asa : %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=4a160fd6) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Jan 25 2019 05:47:06 asa : %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=4a160fd6) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Jan 25 2019 05:47:06 asa : %ASA-5-713904: IP = X.X.X.X, Received an un-encrypted INVALID_ID_INFO notify message, dropping
Jan 25 2019 05:47:06 asa : %ASA-4-713903: IP = X.X.X.X, Information Exchange processing failed

 

Could that be the reason why this is failing? Why is it using the inside interface?

 

Thank you!

LN

2 Replies 2

Sheraz.Salim
VIP Alumni
VIP Alumni

Rekey : no State : MM_WAIT_MSG2

 

!

MM_WAIT_MSG2 Initiator Initial DH public key sent to responder. Awaiting initial contact replay from the other side. Initiator sends encr/hash/dh ike policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from its peer. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down

 

does if command is configured for

crypto ikev1/2 enable outside

please do not forget to rate.

Thank you for the response Sheraz.

 

I can ping the peer just fine.  I'm having them check that ISAKMP v1 is enabled on the outside interface and that they are not blocking UDP 500.

 

thank you!