Refer to the exhibit, you issued the show crypto isakmp sa command to troubleshoot connection failure or IPsec VPN. What possible issue does the given output indicate?
A. The peer is failing to respond
B. The crypto ACLs are mismatched
C. The pre-shared keys are mismatched
D. The transform sets are mismatched
I concur with NextCCIE for C. Exhibit shows “MM_WAIT_MSG6”
Here is the link:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution09
C is correct: MM_WAIT_MSG6
Mismatched Pre-shared Key
The initiation of VPN Tunnel gets disconnected. This issue might occur because of a mismatched pre-shared-key during the phase I negotiations.
The MM_WAIT_MSG_6 message in the show crypto isakmp sa command indicates a mismatched pre-shared-key as shown in this example:
ASA#show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.7.13.20
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG_6
A is more likely, see here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html
When the peer IP address has not been configured properly on the ASA crypto configuration, the ASA is not able to establish the VPN tunnel and hangs in the MM_WAIT_MSG4 stage only. In order to resolve this issue, correct the peer IP address in the configuration. Here is the output of the show crypto isakmp sa command when the VPN tunnel hangs at in the MM_WAIT_MSG4 state.
hostname#show crypto isakmp sa
1 IKE Peer: XX.XX.XX.XX
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG4