Solved

Error-Site-Site VPN

Posted on 2011-09-09
4
384 Views
Last Modified: 2012-05-12
Hi,
We have site-site down issue , it is giving error as below when check the
sh crypto isakmp sa
SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 115.111..X.X
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 209.252.X.X
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

In the above output there is no issue with first SA with peer  IKE Peer: 115.111.X.X
if you see the second output the state is showing as   State   : MM_WAIT_MSG2,what  does it means.what is the causes for the issue.

Pls see the attachment of the Debug outputs in Level 127 and 255 of isakmp.
Pls treat this as urgent and help me


Regards
ramu



DEBUG-OUTPUT-09SEP11.TXT
DEBUG-OUTPUT-Level-255-09SEP11.TXT
0
Comment
Question by:RAMU CH
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508727
The first thing I would check is to see if the access lists used to match the traffic (in the crypto map statement) and the one used to exempt the traffic from nat (using the nat 0 statement) are the same on both sides (but opposite).
So if you have access-list nonat extended permit ip 192.168.203.0 255.255.255.0 10.10.0.0 255.255.255.0 on one side, you should have access-list nonat extended permit ip 10.10.0.0 255.255.255.0 192.168.203.0 255.255.255.0 on the other side.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36509188
Seems like there is no connectivity between peers
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36513072
Agreed, the first check is whether the endpoints can find each other, then the next question is whether the configs match, as with the ACL issue mentioned above.  It looks to me like ISAKMP isn't matching on both sides, since I'm seeing "Removing peer from peer table failed, no match!".  Can you post sanitized configs for both sides?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36594511
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question