Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6021
Views
0
Helpful
5
Replies

Troubleshooting IKEV1 MM_WAIT_MSG2

alowery.2.9872
Level 1
Level 1

‎05-06-2020 12:30 PM

Hello,

 

I was looking for some assistance in troubleshooting a Site-to-Site VPN using Cisco ASA equipment.

 

On my primary outside interface, the VPN tunnel seems to come up fine and without issue. We are working on configuring a second interface to use as a backup, but unable to get the tunnel to come up. Running show isakmp sa shows we are on MM_WAIT_MSG2, and not getting a response from the peer. (I can ping the peer though, if that helps.) We have confirmed that the configuration are the same and accurate on both sides, but are not sure why we are not getting a response.

 

Our primary ISP work and is setup like so:

 

route outside 0.0.0.0 0.0.0.0 x.x.x.x 10 track 2

route backup 0.0.0.0. 0.0.0.0 y.y.y.y 1

 

Both interfaces get out to the internet fine, and the outside brings up the vpn tunnel, however the backup does not. I've used beyond compare to compare the config files, and everything looks to be configured the same. 

 

If there are logs that will help, please let me know.

Labels:
0 Helpful
5 Replies 5

Sheraz.Salim
VIP Alumni
VIP Alumni

‎05-06-2020 02:13 PM

can you share your firewall configuration. MM_WAIT_MSG2 means "Initiator send encryption/hashing/DH ike policy details to create intitial contact.Initiator will wait at MM_WAIT_MSG2 until it hears back from it peer."

 

can you run these command and share the output. export the capture file too and share it here.

*x.x.x.x is your backup public ip address and y.y.y.y is remote peer ip address

debug crypto condition peer x.x.x.x
debug crypto ikev1 protocol 127
debug crypto ikev1 platform
capture VPN type isakmp interface backup match ip host x.x.x.x host y.y.y.y
logging buffered debugging
logging buffer-size 12096
please do not forget to rate.
0 Helpful

alowery.2.9872
Level 1
Level 1
In response to Sheraz.Salim

‎05-07-2020 05:43 AM

Hello,

here is the output of that:

 

capture cap type raw-data [Capturing - 4377 bytes]
capture VPN type isakmp packet-length 32810 trace interface backup [Capturing - 0 bytes]
match ip host X.X.X.X host Y.Y.Y.Y
ASA(config)# May 07 00:34:25 [IKEv1]IP = Y.Y.Y.Y, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 288
May 07 00:34:33 [IKEv1]IP = Y.Y.Y.Y, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 288
May 07 00:34:41 [IKEv1 DEBUG]IP = Y.Y.Y.Y, IKE MM Initiator FSM error history (struct &0x00002aaac1fd4e60) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
May 07 00:34:41 [IKEv1 DEBUG]IP = Y.Y.Y.Y, IKE SA MM:64f95562 terminating: flags 0x01000022, refcnt 0, tuncnt 0
May 07 00:34:41 [IKEv1 DEBUG]IP = Y.Y.Y.Y, sending delete/delete with reason message
May 07 00:34:41 [IKEv1]IP = Y.Y.Y.Y, Warning: Ignoring IKE SA (dst) without VM bit set

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to alowery.2.9872

‎05-07-2020 12:59 PM

Need more log to figure out what the issue is

please do not forget to rate.
0 Helpful

alowery.2.9872
Level 1
Level 1
In response to Sheraz.Salim

‎05-08-2020 05:37 AM

What else can I provide that will be of assistance?

 

 

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to alowery.2.9872

‎05-08-2020 05:40 AM

These logs you provided are note enough. please provide more logs. also share your ASA configuration too.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents