Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Error-Site-Site VPN

Hi,
We have site-site down issue , it is giving error as below when check the
sh crypto isakmp sa
SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 115.111..X.X
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 209.252.X.X
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

In the above output there is no issue with first SA with peer  IKE Peer: 115.111.X.X
if you see the second output the state is showing as   State   : MM_WAIT_MSG2,what  does it means.what is the causes for the issue.

Pls see the attachment of the Debug outputs in Level 127 and 255 of isakmp.
Pls treat this as urgent and help me


Regards
ramu



DEBUG-OUTPUT-09SEP11.TXT
DEBUG-OUTPUT-Level-255-09SEP11.TXT
0
RAMU CH
Asked:
RAMU CH
1 Solution
 
Ernie BeekCommented:
The first thing I would check is to see if the access lists used to match the traffic (in the crypto map statement) and the one used to exempt the traffic from nat (using the nat 0 statement) are the same on both sides (but opposite).
So if you have access-list nonat extended permit ip 192.168.203.0 255.255.255.0 10.10.0.0 255.255.255.0 on one side, you should have access-list nonat extended permit ip 10.10.0.0 255.255.255.0 192.168.203.0 255.255.255.0 on the other side.
0
 
fgasimzadeCommented:
Seems like there is no connectivity between peers
0
 
jmeggersCommented:
Agreed, the first check is whether the endpoints can find each other, then the next question is whether the configs match, as with the ACL issue mentioned above.  It looks to me like ISAKMP isn't matching on both sides, since I'm seeing "Removing peer from peer table failed, no match!".  Can you post sanitized configs for both sides?
0
 
RAMU CHAuthor Commented:
Thanks
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now