S2E2_IPSEC VPN - MM_WAIT_MSG3 - How to troubleshoot? (IPSEC VPN)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome back first of all I would like to thank you for supporting me in doing the scripture I want you to know that I always try to bring accurate and clear information to you the sole purpose of me creating these videos is to help you understand those concepts that you always wanted to learn at the end of this video if you find it helpful please do like comment and share if you are new to this how to troubleshoot mmm wait messes three or when you see mmm wait messes three what does that mean what do you understand why your essay is stuck at mmm wait messes three so this video is about finding out why the ASA's stuck at mmm Wade Messer Street what does it mean and how do we fix the problem to explain this I'm going to use this setup that you're seeing on my screen so it's basically the VPN is between Cisco and let's say IBM site IBM and so in this set up we have a VPN between this is a is in the left hand side in the yellow but they say on right hand side the IPSec si the edge is say here is doing the routing part let's go back to the SS all the configuration has already been done on these devices configuration is not a part of this video if you want me to do another video on how to configure a site-to-site VPN on Cisco si head your comments to the video if there are more than 50 comments I will create a video about on how to configure site-to-site VPN this is PC one so I'm just gonna drag it to the left alright so your PC one si one is set to from pc1 so if I take you back to the topology once again here PC once IP address is 10.10 dot one dot one and PC two is 190 to 168 10.1 this is CC - this guy is your PC one so what I'm going to do now is try to do a ping from here to here and see what happens this is your s say 1 this guy here is your pee - it's in back here from pc1 I'm trying to do a ping - 192 168 10.1 which is the other computer on the other end let me just quickly draw it little topology here so this is the topology that we have from pc1 I'm trying to ping BC - so when I do that I go back to a si 1 and check the status of the tunnel show crypto AIESEC m SI it says you are the initiator and you're currently at mmm wait messes - and what does mmm wait messes to mean it means hey si 1 had sent the first packet and it's waiting for the second message to be received I've already done another video for mmm wait messes - so you can go back to that video and get understanding of what does that mean wait messes to mean and how to fix it so here hmmm wait messes - that means I have sent the first packet now I'm waiting for second message to be received if I go go to the another other way si si - here in show crypto ICMS say it says mmm wait messes three so this guy here says mmm wait messes three he says I am the responder and I'm waiting for messes three so he says hey I have sent the message - I'm waiting for message three so he says I've done my job and this guy is say one says I'm waiting for messes - I haven't received yet so when a si - says I'm waiting for message three he has sent message - but for some reason that message - has not reached a si one otherwise why would it wait at mmm wait message - right if you see si one is still at mmm wait message - that means it hasn't received second messes so where did the second message go a si 2 has sent it and it didn't reach back to si one so where is it that's what we need to find out where is message three how do we do it [Music] let's get some real data rates let's get some proof that a sc2 has sent it so if a sc2 has sent messes - that must have left why it's our sign interface right so let's do a capture here that should confirm that yes you have sent message - then we'll check here if it reached here or not if it did not reach you then it's a problem with the ISP right the underlying network but first we need to make sure that a si 2 has sent it right so let's go back to the ASA's and check the captures apply some captures on outside in face of a si - so how do I do a capture here so I say let me verify the you know face so you know faces outside I say capture capture name and face outside match I peaked host to door to door to the pure IP is sixty three dot one dot 13.1 forty-two sure cap shows how many captures are applied so you know initially when I applied this capture there was no data so nothing was being captured zero bytes now you see 226 bytes that means something is being captured if you want to see what is in the day in the capture if you want to see what is in the capture so you can say show cap cap out okay because we had those continuous Pink's going on so it's continuously trying to bring the VPN up now if we take a look we're seeing packets from 67.1 dot 13.1 42 from a is say one going to AAS a - I mean I'm doing this capture on si - so here right here but I'm not seeing here say to replying back right the arrow indicates who is receiving it and who is sending it so it's 142 sending - roar - roar - is receiving 2.2 is a si - yes a 2 is receiving it but this guy is not replying back but wait did it not say that I'm replying back it somewhere if I say show kripp twice I can best say it says I'm waiting for message 3 that means he has sent message two so where did messes to go is it possible that a say - did send messes - but then dropped it right and how do we figure out if a si has dropped some packets to figure out if a si has dropped any packet we can do something called as a SP capture this HP a SP capture will show you if your firewall if you're a si is doing any drops let's do it how do you SP capture so it's similar to the normal capture you say capture give it a name so I usually use a SP then you say type what type of captures your who you want to do it's capture a SP type SP drop all and I would like to do it as a circularbuffer because in real-time environment you will have too many data that your firewall will be dropping so you do not want this capture to be a normal capture you want it to be a circular buffer circular buffer what cycle buffer means it keeps doing a new capture it keeps capturing new data and delete the previous the old oldest one so the buffer keeps getting filled with new data continuously so that you don't miss the latest drops right so capture SP type SP drop all circular buffer now how do you check if your data is getting dropped so you see show cap a SP pipe include and put in your IP address that you're looking for so I'm basically looking for - ah - ah - and there you go it says I'm dropping it I'm dropping the packets which are sourced from - door-to-door - in going to destination 67.1 or 13.1 42 I am dropping them these are you DB 500 and what is the drop reason why are you dropping them it says no urgency no valid urgency well this means this guy doesn't know how to go back this guy doesn't know how to reach this six to seven dot 1.13 dealt 142 and why doesn't it know do we not have a route let's figure that out so it's a sure route network not in table okay let's check the routing table then does it not have a default route gateway of last result is not set so it doesn't have a default route it has a route for to dot network it has get out for ten dot Network it has a route for 192 168 Network and that's all it has how it doesn't know how to reach 67.1 dot 13.1 42 that's why this guy is dropping it with a reason no valid urgency no urgency so how do we fix it now so we just simply tell him how you can reach so you can reach let me check base show IP so you can go outside and you can reach 67.1 or thirteen dot one forty two two five five two five five two five five two five five and your next next hop should be tuna 2.2.1 that's how you can reach let's see show crypto I say can I say it's still about mmm wait message three well now it has progressed a bit so with Simon wait message five that's a good thing yeah mmm wait minus five is going to be part of the next video but we have progressed so it's no longer that mm wait message three so what was the reason for it to stay at mmm wait message three [Music] a sc2 did not have a route back they can be one more reason that they say to or the responder so this was initiator and responder so they can be one more reason that responder will stay at this stage if there was a router here and that router has at had an access list applied here in this inbound direction do not allow these UDP packets so in that case also when a sa-2 has already sent the second message and that will be then dropped by this router here at this interface will never make two back to sa one you can then figure it out right you will do a capture on a set to here and you'll see that the message to is leaving but it's not reasoning as say one then you will try to figure out what are the devices in between and when you figure out that there is a router when there is a router always look at the interfaces right because router interfaces are most likely to have access lists so that was all about mmm wait messes three so now you know if you see your AR say at mmm wait message three what is the problem most likely there is a route missing or there is a router somewhere which has an access list to block the written traffic in the next video we are going to talk about mmm wait message forum so stay tuned [Music] [Music] [Music]

Info

Channel: ASAme2

Views: 1,243

Rating: undefined out of 5

Keywords: MM_WAIT_MSG3, IPSEC VPN, Best VPN Video, TAC level understanding of IPSEC VPN, TAC level understanding, TAC level explaination, Understand MM wait msg3

Id: uKQuFrtG90w

Channel Id: undefined

Length: 12min 27sec (747 seconds)

Published: Sat Mar 07 2020