Solved

Error-Site-Site VPN

Posted on 2011-09-09
4
387 Views
Last Modified: 2012-05-12
Hi,
We have site-site down issue , it is giving error as below when check the
sh crypto isakmp sa
SEZ-ODC5-Firewall# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 115.111..X.X
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 209.252.X.X
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

In the above output there is no issue with first SA with peer  IKE Peer: 115.111.X.X
if you see the second output the state is showing as   State   : MM_WAIT_MSG2,what  does it means.what is the causes for the issue.

Pls see the attachment of the Debug outputs in Level 127 and 255 of isakmp.
Pls treat this as urgent and help me


Regards
ramu



DEBUG-OUTPUT-09SEP11.TXT
DEBUG-OUTPUT-Level-255-09SEP11.TXT
0
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508727
The first thing I would check is to see if the access lists used to match the traffic (in the crypto map statement) and the one used to exempt the traffic from nat (using the nat 0 statement) are the same on both sides (but opposite).
So if you have access-list nonat extended permit ip 192.168.203.0 255.255.255.0 10.10.0.0 255.255.255.0 on one side, you should have access-list nonat extended permit ip 10.10.0.0 255.255.255.0 192.168.203.0 255.255.255.0 on the other side.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36509188
Seems like there is no connectivity between peers
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36513072
Agreed, the first check is whether the endpoints can find each other, then the next question is whether the configs match, as with the ACL issue mentioned above.  It looks to me like ISAKMP isn't matching on both sides, since I'm seeing "Removing peer from peer table failed, no match!".  Can you post sanitized configs for both sides?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36594511
Thanks
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month5 days, 13 hours left to enroll

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question