Debugging Lan-2-Lan VPN’s is a whole kettle of fish in its own right. The example log below shows what is visible if the remote peer does not respond to the request. In this scenario the central appliance is a Cisco ASA version 8.4(3) and acting as a VPN headend poiint of presence. The key identification of the issue below is:
MM_DONE, EV_ERROR–>MM_WAIT_MSG2, EV_RETRY–>MM_WAIT_MSG2, EV_TIMEOUT–>MM_WAIT_MSG2, NullEvent–>MM_SND_MSG1, EV_SND_MSG–>MM_SND_MSG1, EV_START_TMR–>MM_SND_MSG1, EV_RESEND_MSG–>MM_WAIT_MSG2, EV_RETRY
Note the Event Error, the Event Wait and the Event Retry on WAIT_MSG2
Oct 09 20:11:49 [IKEv1]IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf inside, IKE Peer 1.1.1.1 local Proxy Address 192.168.3.0, remote Proxy Address 10.0.0.0, Crypto map (outside_map)
Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing ISAKMP SA payload
Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload
Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload
Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing NAT-Traversal VID ver RFC payload
Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Oct 09 20:11:49 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
SENDING PACKET to 1.1.1.1
09 20:11:50 [IKEv1]IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Oct 09 20:11:57 [IKEv1]IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
Oct 09 20:12:05 [IKEv1]IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
Oct 09 20:12:13 [IKEv1]IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
Oct 09 20:12:21 [IKEv1 DEBUG]IP = 1.1.1.1, IKE MM Initiator FSM error history (struct &0x242554a8) <state>, <event>: MM_DONE, EV_ERROR–>MM_WAIT_MSG2, EV_RETRY–>MM_WAIT_MSG2, EV_TIMEOUT–>MM_WAIT_MSG2, NullEvent–>MM_SND_MSG1, EV_SND_MSG–>MM_SND_MSG1, EV_START_TMR–>MM_SND_MSG1, EV_RESEND_MSG–>MM_WAIT_MSG2, EV_RETRY
Oct 09 20:12:21 [IKEv1 DEBUG]IP = 1.1.1.1, IKE SA MM:5bce5987 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Oct 09 20:12:21 [IKEv1 DEBUG]IP = 1.1.1.1, sending delete/delete with reason message
As a means to verify the outbound connectivity and nothing returning to the ASA a packet capture was used on the ASA to show the outbound requests with a nothing coming back in.