IPSEC VPN LAN-2LAN Debug “remote peer not responding”

Debugging Lan-2-Lan VPN’s is a whole kettle of fish in its own right. The example log below shows what is visible if the remote peer does not respond to the request. In this scenario the central appliance is a Cisco ASA version 8.4(3) and acting as a VPN headend poiint of presence. The key identification of the issue below is:

MM_DONE, EV_ERROR–>MM_WAIT_MSG2, EV_RETRY–>MM_WAIT_MSG2, EV_TIMEOUT–>MM_WAIT_MSG2, NullEvent–>MM_SND_MSG1, EV_SND_MSG–>MM_SND_MSG1, EV_START_TMR–>MM_SND_MSG1, EV_RESEND_MSG–>MM_WAIT_MSG2, EV_RETRY

Note the Event Error, the Event Wait and the Event Retry on WAIT_MSG2

Oct 09 20:11:49 [IKEv1]IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf inside, IKE Peer 1.1.1.1  local Proxy Address 192.168.3.0, remote Proxy Address 10.0.0.0,  Crypto map (outside_map)

Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing ISAKMP SA payload

Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload

Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing NAT-Traversal VID ver 03 payload

Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing NAT-Traversal VID ver RFC payload

Oct 09 20:11:49 [IKEv1 DEBUG]IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload

Oct 09 20:11:49 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

SENDING PACKET to 1.1.1.1
09 20:11:50 [IKEv1]IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Oct 09 20:11:57 [IKEv1]IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

Oct 09 20:12:05 [IKEv1]IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

Oct 09 20:12:13 [IKEv1]IP = 1.1.1.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

Oct 09 20:12:21 [IKEv1 DEBUG]IP = 1.1.1.1, IKE MM Initiator FSM error history (struct &0x242554a8)  <state>, <event>:  MM_DONE, EV_ERROR–>MM_WAIT_MSG2, EV_RETRY–>MM_WAIT_MSG2, EV_TIMEOUT–>MM_WAIT_MSG2, NullEvent–>MM_SND_MSG1, EV_SND_MSG–>MM_SND_MSG1, EV_START_TMR–>MM_SND_MSG1, EV_RESEND_MSG–>MM_WAIT_MSG2, EV_RETRY

Oct 09 20:12:21 [IKEv1 DEBUG]IP = 1.1.1.1, IKE SA MM:5bce5987 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Oct 09 20:12:21 [IKEv1 DEBUG]IP = 1.1.1.1, sending delete/delete with reason message

As a means to verify the outbound connectivity and nothing returning to the ASA a packet capture was used on the ASA to show the outbound requests with a nothing coming back in.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s