MM_WAIT_MSG2 in site-site vpn

Hi every body,

really stuck with this MM_WAIT_MSG2.
i already confirm all the config with remote person but still unable to find the solution.

can any one help me to find out why i am unable to connect to the other party.

regards

Really in Cisco troubleshooting we are basically unable to help properly without the configuration file, I am not offending you or your remote fellow but it is hard to give help by guessing.

but if I am going to guess I would say:
MM_WAIT_MSG2
This message means: MM = Main Mode, WAIT = Waiting, MSG2 = Message 2 sent by the remote host accepting your certificate

so it could mean that the remote host message is being dropped before reaching your firewall or maybe there is a firewall in the remote end blocking some TCP or UDP ports required by isakmp used by your site-to-site VPN.

if your Site-to Site VPN was already working fine before but now is making this behavior then there would be other suggestions than the one I proposed, for this please provide us with more detailed information and a simple design to help you more.

good luck

Hi,

thanks alot for your support,

i configured this two weeks before and it was working fine,
i am getting this message since last day. here are the details.

Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0

check the config of the VPN:

isakmp policy 97 authentication pre-share
isakmp policy 97 encryption 3des
isakmp policy 97 group 2
isakmp policy 97 hash md5
isakmp policy 97 lifetime 86400

access-list ACL-TEST permit ip host MYSUBNETIP host REMOTESUBNETIP
tunnel-group REMOTE_PEER type ipsec-l2l
tunnel-group REMOTE_PEER ipsec-attributes
pre-shared-key PRESHARED_KEY

crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto map SHABO_l2l 97 match address ACL-TEST
crypto map SHABO_l2l 97 set transform-set TRANS_TATTU
crypto map SHABO_l2l 97 set peer REMOTE_PEER


waiting for your reply.

rgds,

hey sheikhu, you have said that it was working fine 2 weeks ago. did you introduce any newly device between the two sites?

can you please provide us with the following information:
1. between which two cisco devices you are doing the site to site vpn, like is it between two ASA firewalls?

2. is there any newly device has been added between the two site to site vpn like a transparent router on the edge of your networks?

3. did you change your private ISP? maybe they introduced a new hardware or implemented a new policy on there perimter devices that is preventing your devices to communicate properly

4. if the vpn is giving an error message can you ping both devices is there a basic connectivity between them?

the message introduced is usually referred to the fact that your ASA is not getting a response message from your other device confirming the sent certificate.

or maybe your ASA is getting back the response message from your other device but it is actually getting it late so try to modify your isakmp keepalive on both devices with this command:

[code:1]isakmp keepalive xyz[/code:1]

I hope this will help you in solving your problem.

good luck

Thanks...its done..remote end problem! as usual.

glad you found your own solution, could you please provide us with ore details about the problem you found and the way you solved it.

thanks in advance, and good luck