When troubleshooting Phase 1 of a VPN tunnel the MM_WAIT_MSG state can be a great clue as to why your tunnel is not forming. If your firewall hangs at a certain state then this will show you where in the path your VPN is failing.
What is happening
Initiator sends its hashed IKE policy details to the receiver to create the initial contact. Initiator will stay in this state until it receives a response back from the remote peer.
Cisco uses a different way to run and save packet captures on its ASA firewall than a popular Linux tcpdump/Wireshark tools. Below is a quick guide to capture and then copy out a pcap file from the firewall for offline analysis.
Setting up your Packet Capture
The basic syntax is:
#capture <Name for capture> type raw-data match ip <source IP/Network> <Network Mask> <destination IP/Network> <Network MAsk>
#capture <Name for capture> packet-length 1522 buffer 524288
#capture <Name for capture> interface <Name of interface to capture on>
When you have VPN tunnels out to 3rd party customers there comes a time when something is going to go wrong and at least one end of the tunnel is going to have to be rebuilt. More often than not documentation got lost or was not updated the last time things changed and now you have no idea what the PSK was that you used on that tunnel. You quickly look at the configuration on the other end only to find that the PSK is stared out in the running config. Continue reading