Solved

Error-Site-Site VPN

Posted on 2011-09-09
4
381 Views
Last Modified: 2012-05-12
Hi,
We have site-site down issue , it is giving error as below when check the
sh crypto isakmp sa
SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 115.111..X.X
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 209.252.X.X
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

In the above output there is no issue with first SA with peer  IKE Peer: 115.111.X.X
if you see the second output the state is showing as   State   : MM_WAIT_MSG2,what  does it means.what is the causes for the issue.

Pls see the attachment of the Debug outputs in Level 127 and 255 of isakmp.
Pls treat this as urgent and help me


Regards
ramu



DEBUG-OUTPUT-09SEP11.TXT
DEBUG-OUTPUT-Level-255-09SEP11.TXT
0
Comment
Question by:RAMU CH
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
The first thing I would check is to see if the access lists used to match the traffic (in the crypto map statement) and the one used to exempt the traffic from nat (using the nat 0 statement) are the same on both sides (but opposite).
So if you have access-list nonat extended permit ip 192.168.203.0 255.255.255.0 10.10.0.0 255.255.255.0 on one side, you should have access-list nonat extended permit ip 10.10.0.0 255.255.255.0 192.168.203.0 255.255.255.0 on the other side.
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Seems like there is no connectivity between peers
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
Comment Utility
Agreed, the first check is whether the endpoints can find each other, then the next question is whether the configs match, as with the ACL issue mentioned above.  It looks to me like ISAKMP isn't matching on both sides, since I'm seeing "Removing peer from peer table failed, no match!".  Can you post sanitized configs for both sides?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
Comment Utility
Thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now