[c-nsp] ASA5520/ casas 7.0(4) meaning of MM_WAIT_MSG3 ?!

Jerome Covini jcovini at free.fr
Fri Feb 2 16:33:47 EST 2007


Thanks for your hint, but now we have another issue with the same box.
Today asa started to get weird intermittently regarding its nvram 
contents (running-conf filesize varying down to 0 / changing for each 
directory listing and show-run disply freezing for long).

Will end-up in RMA.

thanks
jc

Andrew Yourtchenko wrote:
> http://www.ietf.org/rfc/rfc2408.txt, page 52, outlines the Identity 
> Protection exchange (AKA Main Mode).
>
> The box you are talking about replies to the first packet of the 
> exchange (i.e. sends back the second packet); but never sees the third 
> packet.
>
> So the task is to find why this third packet never makes it - either 
> it is not generated at all by the remote box (1.2.3.4), or lost on the 
> way to your LAN2LAN box.
>
> Correlate the synchronized "debug crypto isakmp" + "debug crypto 
> ipsec" outputs from both sides and see if this gives a hint where the 
> exchange gets stuck.
>
> If the debugs/syslogs of both sides do not give a hint, I'd suggest to 
> open up a TAC case.
>
> thanks,
> andrew
>
>
>
> On Wed, 31 Jan 2007, jcovini at free.fr wrote:
>
>> What's the meaning of MM_WAIT_MSG3 ?
>>
>> This tunnel is correctly defined as a l2l,
>>
>> tunnel-group 1.2.3.4 type ipsec-l2l
>> tunnel-group 1.2.3.4 ipsec-attributes
>> pre-shared-key *
>>
>> however, there is a strange type in the isakmp sa status, instead of 
>> L2L I got
>> this :
>>
>> LAN2LAN#sh crypto isakmp sa
>> 6   IKE Peer: 1.2.3.4
>>    Type    : user            Role    : responder
>>    Rekey   : no              State   : MM_WAIT_MSG3
>>
>> Jan 31 2007 14:23:43: %ASA-3-713902: IP = 1.2.3.4, Removing peer from 
>> peer table
>> failed, no match!
>> Jan 31 2007 14:23:43: %ASA-4-713903: IP = 1.2.3.4, Error: Unable to 
>> remove
>> PeerTblEntry
>>
>> wtf ?!
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>


	

	
		
___________________________________________________________________________ 
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
http://fr.mail.yahoo.com


More information about the cisco-nsp mailing list