VPN Troubleshooting – Phase 1 – ISAKMP (IKE) Status Messages MM_WAIT_MSG#

When troubleshooting Phase 1 of a VPN tunnel the MM_WAIT_MSG state can be a great clue as to why your tunnel is not forming. If your firewall hangs at a certain state then this will show you where in the path your VPN is failing.Phase1

MM_WAIT_MSG2

What is happening

                Initiator sends its hashed IKE policy details to the receiver to create the initial contact.  Initiator will stay in this state until it receives a response back from the remote peer.

Possible reasons to be stuck in this state

  • No route exists to reach the remote peer
  • Remote end does not have ISAKMP enabled
  • Remote peer is down
  • Firewall blocking ISAKMP (usually UDP port 500)

Phase1 bac

MM_WAIT_MSG3

What is happening

                Receiver has received the initiators IKE policy and sends its hashed IKE policy details back to the initiator to complete the initial contact.  Receiver will stay here until it receives the initiators PSK hash

Possible reasons to be stuck in this state

  • Mismatch in device vendors
  • Firewall in the way
  • ASA version mismatch
  • No return route to the initiating device

Phase1

 

MM_WAIT_MSG4

What is happening

                Initiator has received the receivers IKE policy and now sends its PSK hash to the receiver.  Initiator will wait here till it receives the receivers PSK hash.  The PSK is not actually checked at this stage.

Possible reasons to be stuck in this state

  • Receiver missing tunnel group or PSK

 Phase1 bac

 

MM_WAIT_MSG5

What is happening

                Receiver has received the initiators PSK hash.  If receiver has a tunnel group and PSK configured for the initiators peer address, it sends its PSK hash to the initiator.  Receiver does not check that the hash matches at this point.

Possible reasons to be stuck in this state

  • Initiator sees the PSKs do not match
  • NAT-T is on when it should be off

Phase1

MM_WAIT_MSG6

What is happening

                Initiator has received the receivers PSK hash.  If PSK keys match then initiator becomes MM_ATIVE and sends a message to receiver that it matched. 

Possible reasons to be stuck in this state

  • PSKs don’t match
  • NAT-T on and should be off

NOTE: If message stays at MM_WAIT_MSG6 and the ISAKMP resets then your phase 1 is completing but you are failing Phase2.  Check your IPSEC settings.

Phase1 bac

MM_ACTIVE

What is happening

                Receiver checks if PSKs match and if so then it becomes MM_ACTIVE and lets initiator know.  ISAKMP negotiations are now complete and Phase1 is built successful.

2 thoughts on “VPN Troubleshooting – Phase 1 – ISAKMP (IKE) Status Messages MM_WAIT_MSG#

Leave a Reply

Your email address will not be published. Required fields are marked *