[c-nsp] ASA5520/ casas 7.0(4) meaning of MM_WAIT_MSG3 ?!
Andrew Yourtchenko
ayourtch at cisco.com
Thu Feb 1 05:59:36 EST 2007
http://www.ietf.org/rfc/rfc2408.txt, page 52, outlines the Identity
Protection exchange (AKA Main Mode).
The box you are talking about replies to the first packet of the exchange
(i.e. sends back the second packet); but never sees the third packet.
So the task is to find why this third packet never makes it - either it is
not generated at all by the remote box (1.2.3.4), or lost on the way to
your LAN2LAN box.
Correlate the synchronized "debug crypto isakmp" + "debug crypto ipsec"
outputs from both sides and see if this gives a hint where the exchange
gets stuck.
If the debugs/syslogs of both sides do not give a hint, I'd suggest to
open up a TAC case.
thanks,
andrew
On Wed, 31 Jan 2007, jcovini at free.fr wrote:
> What's the meaning of MM_WAIT_MSG3 ?
>
> This tunnel is correctly defined as a l2l,
>
> tunnel-group 1.2.3.4 type ipsec-l2l
> tunnel-group 1.2.3.4 ipsec-attributes
> pre-shared-key *
>
> however, there is a strange type in the isakmp sa status, instead of L2L I got
> this :
>
> LAN2LAN#sh crypto isakmp sa
> 6 IKE Peer: 1.2.3.4
> Type : user Role : responder
> Rekey : no State : MM_WAIT_MSG3
>
> Jan 31 2007 14:23:43: %ASA-3-713902: IP = 1.2.3.4, Removing peer from peer table
> failed, no match!
> Jan 31 2007 14:23:43: %ASA-4-713903: IP = 1.2.3.4, Error: Unable to remove
> PeerTblEntry
>
> wtf ?!
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list