Solved

Error-Site-Site VPN

Posted on 2011-09-09
4
385 Views
Last Modified: 2012-05-12
Hi,
We have site-site down issue , it is giving error as below when check the
sh crypto isakmp sa
SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 115.111..X.X
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 209.252.X.X
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

In the above output there is no issue with first SA with peer  IKE Peer: 115.111.X.X
if you see the second output the state is showing as   State   : MM_WAIT_MSG2,what  does it means.what is the causes for the issue.

Pls see the attachment of the Debug outputs in Level 127 and 255 of isakmp.
Pls treat this as urgent and help me


Regards
ramu



DEBUG-OUTPUT-09SEP11.TXT
DEBUG-OUTPUT-Level-255-09SEP11.TXT
0
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508727
The first thing I would check is to see if the access lists used to match the traffic (in the crypto map statement) and the one used to exempt the traffic from nat (using the nat 0 statement) are the same on both sides (but opposite).
So if you have access-list nonat extended permit ip 192.168.203.0 255.255.255.0 10.10.0.0 255.255.255.0 on one side, you should have access-list nonat extended permit ip 10.10.0.0 255.255.255.0 192.168.203.0 255.255.255.0 on the other side.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36509188
Seems like there is no connectivity between peers
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36513072
Agreed, the first check is whether the endpoints can find each other, then the next question is whether the configs match, as with the ACL issue mentioned above.  It looks to me like ISAKMP isn't matching on both sides, since I'm seeing "Removing peer from peer table failed, no match!".  Can you post sanitized configs for both sides?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36594511
Thanks
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question