Cisco ASA VPN Tunnels – ISAKMP Messages

By | October 4, 2013

This was taken from from a very good web-site called http://tunnelsup.com where you can find a lot of information with regard to VPN troubleshooting on Cisco devices.

Original ISAKMP RFC is also very good for understanding http://www.ietf.org/rfc/rfc2408.txt.

ASA ISAKMP STATES

MM_WAIT_MSG2:
Initial DH public key sent to responder. Awaiting initial contact reply from other side.
If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down.

MM_WAIT_MSG3:
Both peers have agreed on the ISAKMP policies. Awaiting exchange of keyring information.
Hang up’s here may be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.

MM_WAIT_MSG4:
In this step the pre-share key hashes are exchanged. They are not compared or checked, only sent. If one side sends a key and does not receive a key back, this is where the tunnel will fail.
I have seen the tunnel fail at this step due to the remote side having the wrong Peer IP address. Hang up’s here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches.

MM_WAIT_MSG5:
This step is where the devices exchange pre-shared keys.
If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off.

MM_WAIT_MSG6:
This step is where the devices exchange pre-shared keys.
If the pre-shared keys do not match it will stay at this MSG. I have also seen the tunnel stop here when NAT Traversal was on when it needed to be turned off.
However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to MM_ACTIVE.

AM_ACTIVE / MM_ACTIVE:
The ISAKMP negotiations are complete. Phase 1 has successfully completed.
I also have to add that sometimes the last two messages may appear when the other end does not take/understand some symbols in your pre-shared key (though giving no errors whatsoever about this). I’ve just had an issue when a Watchguard firewall was updated with a new firmware virsion and as a result an IPSec tunnel with another Watchguard box failed. That was actually a good opportunity for me to migrate the tunnel to a Cisco ASA on my end but it started working only after we “simplified” the key having removed some “exotic” ASCII symbols from it.

To see the states of your tunnels use:

sh crypto isakmp sa detail

In special situations you may see the following MM Messages:

Rekey : yes State : MM_ACTIVE_REKEY

Rekey : no State : MM_REKEY_DONE_H2

This is because the version of ASA you are using should be set to:

crypto isakmp identity address

Instead of:

crypto isakmp identity hostname