Recently, I was involved in troubleshooting some VPN issues between two sites. The initial errors we were receiving were not helping us to understand what the problem was. After running the command show crypto isakmp sa we worked out that we weren’t getting the state MM_ACTIVE. Instead were were stuck with one side at MM_WAIT_MSG2 and the other side being stuck at MM_WAIT_MSG3. This was very confusing! Especially when no configuration was changed recently on either side and the VPN was working fine before the incident. We then found this page on the tunnelsup.com website, that clearly explained the IKE Phase 1 stages ISAKMP (IKE Phase 1) status messages MM_WAIT_MSG# – TunnelsUP. This is a great reference for anyone troubleshooting VPN’s and while it did not help us exactly in resolving the issue, it certainly was a great reference that pointed us in the right direction to getting to the root cause.

Until next time!