• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 118
  • Last Modified:

Cisco EZ VPN tunnel won't come up all the way, AM_WAIT_MSG3 message

My home office firewall is an ASA 5520. Remote Site A connects fine using an EZ VPN client connection on ASA 5506, Remote Site B also with an EZ VPN client connection a 5506 connect successfully establish a tunnel. When I run a sh crypto isa on my 5520, Remote Site B's tunnel shows AM_WAIT_MSG3. The guide I configured these sites off of is here: https://www.petenetlive.com/KB/Article/0001261

Home office site configuration:
access-list <SITE B>_split extended permit ip object-group Internal_Networks object <SITE B>-remote_network 
 

group-policy <SITE B> internal
group-policy <SITE B> attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value <SITE B>_split
 nem enable


tunnel-group <SITE B> type remote-access
tunnel-group <SITE B> general-attributes
 default-group-policy <SITE B>
tunnel-group <SITE B> ipsec-attributes
 ikev1 pre-shared-key owezvpnP@55

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA

crypto map VPN 65535 ipsec-isakmp dynamic vpn_dyn_map
crypto map VPN interface outside

crypto ikev1 enable outside

object network <SITE B>-remote_network
 subnet <SITE B> 255.255.255.0

nat (inside,outside) source static Internal_Networks Internal_Networks destination static <SITE B>-remote_network <SITE B>-remote_network no-proxy-arp route-lookup


!username <SITE B> password <removed>

Open in new window


Remote Site B config:
vpnclient server <HOME SITE>
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup <SITE B> password *****
vpnclient username <SITE B> password *****
vpnclient enable

Open in new window


Output from debug crypto isa 7 :
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing SA payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing ke payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing ISA_KE payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing nonce payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing ID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, Received Cisco Unity client VID
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, Received xauth V6 VID
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, Received NAT-Traversal ver 02 VID
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, Received NAT-Traversal ver 03 VID
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, Received NAT-Traversal RFC VID
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, Received Fragmentation VID
Feb 01 10:34:49 [IKEv1 DEBUG]IP = <SITE B>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Feb 01 10:34:49 [IKEv1]IP = <SITE B>, Connection landed on tunnel_group <SITE B>
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, processing IKE SA payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing ISAKMP SA payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing ke payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing nonce payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, Generating keys for Responder...
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing ID payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing hash payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, Computing hash for ISAKMP
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing Cisco Unity VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing xauth V6 VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing dpd vid payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing NAT-Traversal VID ver RFC payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing NAT-Discovery payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, computing NAT Discovery hash
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing NAT-Discovery payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, computing NAT Discovery hash
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing Fragmentation VID + extended capabilities payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing VID payload
Feb 01 10:34:49 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 01 10:34:49 [IKEv1]IP = <SITE B>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Feb 01 10:34:57 [IKEv1]IP = <SITE B>, Duplicate first packet detected.  Ignoring packet.
Feb 01 10:35:05 [IKEv1]IP = <SITE B>, Duplicate first packet detected.  Ignoring packet.
Feb 01 10:35:13 [IKEv1]IP = <SITE B>, Duplicate first packet detected.  Ignoring packet.
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE AM Responder FSM error history (struct &0x7692e858)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CHECK_SPOOF-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE SA AM:f5004ede terminating:  flags 0x0104c001, refcnt 0, tuncnt 0
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, sending delete/delete with reason message
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing blank hash payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing IKE delete payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing qm hash payload
Feb 01 10:35:21 [IKEv1]IP = <SITE B>, IKE_DECODE SENDING Message (msgid=d5a480e6) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 01 10:35:21 [IKEv1]IP = <SITE B>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1034
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing SA payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing ke payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing ISA_KE payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing nonce payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing ID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, Received Cisco Unity client VID
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, Received xauth V6 VID
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, Received NAT-Traversal ver 02 VID
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, Received NAT-Traversal ver 03 VID
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, Received NAT-Traversal RFC VID
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, processing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, Received Fragmentation VID
Feb 01 10:35:21 [IKEv1 DEBUG]IP = <SITE B>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Feb 01 10:35:21 [IKEv1]IP = <SITE B>, Connection landed on tunnel_group <SITE B>
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, processing IKE SA payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing ISAKMP SA payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing ke payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing nonce payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, Generating keys for Responder...
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing ID payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing hash payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, Computing hash for ISAKMP
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing Cisco Unity VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing xauth V6 VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing dpd vid payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing NAT-Traversal VID ver RFC payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing NAT-Discovery payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, computing NAT Discovery hash
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing NAT-Discovery payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, computing NAT Discovery hash
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing Fragmentation VID + extended capabilities payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing VID payload
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 01 10:35:21 [IKEv1]IP = <SITE B>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Feb 01 10:35:29 [IKEv1]IP = <SITE B>, Duplicate first packet detected.  Ignoring packet.
Feb 01 10:35:37 [IKEv1]IP = <SITE B>, Duplicate first packet detected.  Ignoring packet.
debug crypto isa 7Feb 01 10:35:45 [IKEv1]IP = <SITE B>, Duplicate first packet detected.  Ignoring packet.                                                                                                  debug crypto isa 7Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE AM Responder FSM error history (struct &0x7692e858)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CHECK_SPOOF-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR
Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE SA AM:eae527b0 terminating:  flags 0x0104c001, refcnt 0, tuncnt 0
Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, sending delete/delete with reason message
Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing blank hash payload
Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing IKE delete payload
Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, constructing qm hash payload
Feb 01 10:35:53 [IKEv1]IP = <SITE B>, IKE_DECODE SENDING Message (msgid=9aa2732) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 01 10:35:54 [IKEv1]IP = <SITE B>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1034

Open in new window


I can post the config for Site A but it looks identical to me. Any help is appreciated.
0
travisryan
Asked:
travisryan
  • 4
1 Solution
 
travisryanAuthor Commented:
Based off of this post- https://serverfault.com/questions/43433/cisco-asa-vpn-where-can-i-find-information-on-what-the-detailed-logs-mean

It looks like one side can't get all the way to the other side. I know my home office can ping the outside ip address of the remote location so I'm guessing the problem has to be be after that?

Here's the break down of FSM error history like in the link above:
Feb 01 10:35:21 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE AM Responder FSM error history (struct &0x7692e858)  <state>, <event>:  
AM_DONE, 
EV_ERROR-->AM_WAIT_MSG3, 
EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, 
EV_TIMEOUT-->AM_WAIT_MSG3, 
NullEvent-->AM_SND_MSG2, 
EV_CHECK_SPOOF-->AM_SND_MSG2, 
EV_CRYPTO_ACTIVE-->AM_SND_MSG2, 
EV_SND_MSG-->AM_SND_MSG2, 
EV_START_TMR

7Feb 01 10:35:53 [IKEv1 DEBUG]Group = <SITE B>, IP = <SITE B>, IKE AM Responder FSM error history (struct &0x7692e858)  <state>, <event>:  
AM_DONE, 
EV_ERROR-->AM_WAIT_MSG3, 
EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, 
EV_TIMEOUT-->AM_WAIT_MSG3, 
NullEvent-->AM_SND_MSG2, 
EV_CHECK_SPOOF-->AM_SND_MSG2, 
EV_CRYPTO_ACTIVE-->AM_SND_MSG2, 
EV_SND_MSG-->AM_SND_MSG2, 
EV_START_TMR

Open in new window


What's strange is that I know at that location I can plug my laptop in and get a connection out to the internet. I can also VPN out via Cisco Anyconnect. So I'm wondering what the block is.
0
 
travisryanAuthor Commented:
Home office PING outside remote location IP: OK
Site B ASA 5506 PING outside remote (but local to it) location IP: OK

So at least pings are getting through. And they've assured me nothing outgoing is being blocked. Do  I need incoming ports to not be blocked either?
0
 
travisryanAuthor Commented:
Turns out despite what I was told UDP port 500 outgoing is being blocked. That would do it.
0
 
travisryanAuthor Commented:
Local internet is blocking port 500
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now