MM_NO_STATE

Discussion in 'Cisco' started by Tok Tian Hong, Sep 14, 2004.

  1. sydpixvpn# sh isakmp sa
    dst src state pending created
    193.242.15.126 202.17.91.249 MM_NO_STATE 1 0
    202.17.91.249 203.12.153.146 QM_IDLE 0 13
    203.13.237.30 202.17.91.249 QM_IDLE 0 12
    202.17.91.249 210.54.18.24 QM_IDLE 0 1

    Guys,

    What does MM_NO_STATE means?

    How do i go around troubleshooting it ?
    Tok Tian Hong, Sep 14, 2004
    #1
    1. Advertising

  2. Tok Tian Hong

    Scooby Guest

    "Tok Tian Hong" <> wrote in message
    news:...
    > sydpixvpn# sh isakmp sa
    > dst src state pending created
    > 193.242.15.126 202.17.91.249 MM_NO_STATE 1 0
    > 202.17.91.249 203.12.153.146 QM_IDLE 0 13
    > 203.13.237.30 202.17.91.249 QM_IDLE 0 12
    > 202.17.91.249 210.54.18.24 QM_IDLE 0 1
    >
    > Guys,
    >
    > What does MM_NO_STATE means?
    >
    > How do i go around troubleshooting it ?


    Possible states (per Cisco):

    MM_NO_STATE-The Internet Security Association and Key Management Protocol
    (ISAKMP) SA has been created but nothing else has happened yet.
    MM_SA_SETUP-The peers have agreed on parameters for the ISAKMP SA.
    MM_KEY_EXCH-The peers have exchanged Diffie-Hellman public keys and have
    generated a shared secret. The ISAKMP SA remains unauthenticated.
    MM_KEY_AUTH-The ISAKMP SA has been authenticated. If the router initiated
    this exchange, this state transitions immediately to QM_IDLE and a Quick
    mode exchange begins.
    AG_NO_STATE-The ISAKMP SA has been created but nothing else has happened
    yet.
    AG_INIT_EXCH-The peers have done the first exchange in Aggressive mode but
    the SA is not authenticated.
    AG_AUTH-The ISAKMP SA has been authenticated. If the router initiated this
    exchange, this state transitions immediately to QM_IDLE and a Quick mode
    exchange begins.
    QM_IDLE-The ISAKMP SA is idle. It remains authenticated with its peer and
    may be used for subsequent Quick mode exchanges.


    If you are getting stuck on MM_NO_STATE, it generally means that your
    devices are not agreeing on something during phase 1 negotiations. The best
    thing to do is start with 'debug crypto isakmp'. Then watch your tunnel try
    and come up. If you look closely there may be something obvious, or there
    may not be. It is a good chance that you have a mismatched config - such as
    shared secret, des vs. 3des, group 1 vs group 2, etc... Perhaps there is no
    communication with the remote peer either. These things may show up in the
    debug.

    Good luck,

    Jim
    Scooby, Sep 14, 2004
    #2
    1. Advertising

  3. Thank you scooby for the detail explanation.

    Thank you.

    "Scooby" <> wrote in message news:<uWs1d.954$>...
    > "Tok Tian Hong" <> wrote in message
    > news:...
    > > sydpixvpn# sh isakmp sa
    > > dst src state pending created
    > > 193.242.15.126 202.17.91.249 MM_NO_STATE 1 0
    > > 202.17.91.249 203.12.153.146 QM_IDLE 0 13
    > > 203.13.237.30 202.17.91.249 QM_IDLE 0 12
    > > 202.17.91.249 210.54.18.24 QM_IDLE 0 1
    > >
    > > Guys,
    > >
    > > What does MM_NO_STATE means?
    > >
    > > How do i go around troubleshooting it ?

    >
    > Possible states (per Cisco):
    >
    > MM_NO_STATE-The Internet Security Association and Key Management Protocol
    > (ISAKMP) SA has been created but nothing else has happened yet.
    > MM_SA_SETUP-The peers have agreed on parameters for the ISAKMP SA.
    > MM_KEY_EXCH-The peers have exchanged Diffie-Hellman public keys and have
    > generated a shared secret. The ISAKMP SA remains unauthenticated.
    > MM_KEY_AUTH-The ISAKMP SA has been authenticated. If the router initiated
    > this exchange, this state transitions immediately to QM_IDLE and a Quick
    > mode exchange begins.
    > AG_NO_STATE-The ISAKMP SA has been created but nothing else has happened
    > yet.
    > AG_INIT_EXCH-The peers have done the first exchange in Aggressive mode but
    > the SA is not authenticated.
    > AG_AUTH-The ISAKMP SA has been authenticated. If the router initiated this
    > exchange, this state transitions immediately to QM_IDLE and a Quick mode
    > exchange begins.
    > QM_IDLE-The ISAKMP SA is idle. It remains authenticated with its peer and
    > may be used for subsequent Quick mode exchanges.
    >
    >
    > If you are getting stuck on MM_NO_STATE, it generally means that your
    > devices are not agreeing on something during phase 1 negotiations. The best
    > thing to do is start with 'debug crypto isakmp'. Then watch your tunnel try
    > and come up. If you look closely there may be something obvious, or there
    > may not be. It is a good chance that you have a mismatched config - such as
    > shared secret, des vs. 3des, group 1 vs group 2, etc... Perhaps there is no
    > communication with the remote peer either. These things may show up in the
    > debug.
    >
    > Good luck,
    >
    > Jim
    Tok Tian Hong, Sep 15, 2004
    #3
  4. Tok Tian Hong

    Joined:
    Sep 28, 2007
    Messages:
    4
    hi this is from 6 years ago so i may not get any help here but its worth a shot...

    i am getting this:
    1841#show crypto isakmp sa
    dst src state conn-id slot status

    2620#show crypto isakmp sa
    dst src state conn-id slot
    10.10.10.1 10.10.10.2 MM_NO_STATE 1 0


    i recently changed a router and T line and copied the tunnel code to the new router.

    i need pc's on LAN1 to ping pc's on LAN2.
    what i have now is just the routers are able to ping everything everywhere. but not the LANs.

    from router #1 CLI i can ping 192.168.1.1 or any device on its network
    and
    from router #2 CLI i can ping 172.16.1.2 or any device on its network

    but locally on the network devices in the router #1 network side:
    i can not ping the router #2 network devices (pc in LAN1 can not ping a pc in LAN2). and vice versa.

    =====IP Legend=====
    (did a replace on the first three nums of each)

    Router#1 Serial IP 111.111.111.202
    Router#1 IP 222.222.222.2

    Router#2 Serial IP 333.333.333.122
    Router#2 IP 444.444.444.160
    =================
    __
    config Router #1
    __

    C1-1841#sh run
    Building configuration...

    Current configuration : 5645 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname 1841
    !
    boot-start-marker
    boot-end-marker
    !
    no aaa new-model
    ip cef
    !
    !
    !
    !
    ip inspect name fw1 cuseeme
    ip inspect name fw1 ftp
    ip inspect name fw1 udp
    ip inspect name fw1 vdolive
    ip inspect name fw1 streamworks
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    !
    !
    controller T1 0/0/0
    framing esf
    linecode b8zs
    channel-group 0 timeslots 1-24
    !
    controller T1 0/0/1
    framing esf
    linecode b8zs
    channel-group 0 timeslots 1-24
    !
    !
    crypto isakmp key none address 10.10.10.2
    !
    !
    crypto ipsec transform-set s1s2 esp-des esp-sha-hmac
    !
    crypto map vpn local-address Tunnel0
    crypto map vpn 10 ipsec-isakmp
    ! Incomplete
    set peer 10.10.10.2
    set transform-set s1s2
    match address 108
    !
    !
    !
    interface Tunnel0
    ip address 10.10.10.1 255.255.255.0
    tunnel source 111.111.111.202
    tunnel destination 333.333.333.122
    crypto map vpn
    !
    interface MFR1
    mtu 4470
    no ip address
    no ip redirects
    no ip proxy-arp
    encapsulation frame-relay IETF
    no ip mroute-cache
    load-interval 30
    no arp frame-relay
    frame-relay multilink bid to gw
    frame-relay lmi-type ansi
    !
    interface MFR1.500 point-to-point
    ip address 111.111.111.202 255.255.255.252
    no ip redirects
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    no cdp enable
    no arp frame-relay
    frame-relay interface-dlci 500 IETF
    !
    interface FastEthernet0/0
    ip address 172.16.1.2 255.255.248.0 secondary
    ip address 222.222.222.1 255.255.255.0
    no ip redirects
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Serial0/0/0:0
    mtu 4470
    bandwidth 1536
    no ip address
    no ip redirects
    no ip proxy-arp
    encapsulation frame-relay MFR1
    no arp frame-relay
    !
    interface Serial0/0/1:0
    mtu 4470
    bandwidth 1536
    no ip address
    no ip redirects
    no ip proxy-arp
    encapsulation frame-relay MFR1
    no arp frame-relay
    !
    router eigrp 100
    network 10.10.10.0 0.0.0.255
    network 10.10.12.0 0.0.0.255
    network 172.16.0.0 0.0.7.255
    no auto-summary
    no eigrp log-neighbor-changes
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 MFR1.500
    !
    !
    ip http server
    no ip http secure-server
    ip nat pool swimpool 222.222.222.2 222.222.222.254 prefix-length 24
    ip nat pool ovrld 222.222.222.1 222.222.222.1 netmask 255.255.255.0
    ip nat inside source list 120 pool swimpool overload
    ip nat inside source route-map nonat interface MFR1.500 overload
    ip nat inside source static 172.16.1.18 222.222.222.18
    ip nat inside source static tcp 172.16.1.84 110 222.222.222.84 110 extendable
    ip nat inside source static tcp 172.16.1.105 105 222.222.222.105 105 extendable
    ip nat inside source static 172.16.1.105 222.222.222.105
    ip nat inside source static tcp 172.16.1.104 8089 222.222.222.107 8089 extendable
    ip nat inside source static 172.16.1.108 222.222.222.108
    ip nat inside source static tcp 172.16.1.112 80 222.222.222.112 80 extendable
    ip nat inside source static tcp 172.16.1.113 1433 222.222.222.113 1433 extendable
    ip nat inside source static tcp 172.16.1.117 20 222.222.222.117 20 extendable
    ip nat inside source static tcp 172.16.1.117 21 222.222.222.117 21 extendable
    ip nat inside source static tcp 172.16.1.22 80 222.222.222.120 80 extendable
    ip nat inside source static tcp 172.16.1.122 25 222.222.222.122 25 extendable
    ip nat inside source static 172.16.1.126 222.222.222.126
    ip nat inside source static tcp 172.16.1.128 3389 222.222.222.128 3389 extendable
    ip nat inside source static 172.16.1.250 222.222.222.250
    ip nat inside source static 172.16.1.251 222.222.222.251
    ip nat inside source static 172.16.1.252 222.222.222.252
    ip nat inside source static 172.16.1.253 222.222.222.253
    !
    access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
    access-list 100 permit ip 172.16.0.0 0.0.7.255 any
    access-list 100 permit ip 172.16.0.0 0.0.0.255 any
    access-list 101 permit icmp any any echo
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any unreachable
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit tcp any any established
    access-list 101 permit tcp any any eq telnet
    access-list 101 permit gre any any
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any eq domain any
    access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
    access-list 109 deny ip host 172.16.172.249 any
    access-list 120 deny ip host 172.16.1.2 any
    access-list 120 deny ip host 172.16.1.47 any
    access-list 120 deny ip host 172.16.1.67 any
    access-list 120 deny ip host 172.16.1.106 any
    access-list 120 deny ip host 172.16.1.113 any
    access-list 120 deny ip host 172.16.1.114 any
    access-list 120 deny ip host 172.16.1.117 any
    access-list 120 deny ip host 172.16.1.125 any
    access-list 120 deny ip host 172.16.1.18 any
    access-list 120 permit ip 172.16.0.0 0.0.7.255 any
    access-list 120 deny ip host 172.16.1.124 any
    access-list 120 deny ip host 172.16.1.243 any
    access-list 120 deny ip host 172.16.1.90 any
    access-list 120 deny ip host 172.16.1.91 any
    access-list 120 deny ip host 172.16.1.104 any
    access-list 120 deny ip host 172.16.1.122 any
    access-list 130 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
    access-list 130 permit ip 172.16.0.0 0.0.7.255 any
    disable-eadi
    !
    route-map nonat permit 10
    match ip address 130
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    exec-timeout 20 0
    line aux 0
    line vty 0 4
    login
    !
    scheduler allocate 20000 1000
    end


    __
    config router #2
    __

    Building configuration...

    Current configuration : 2337 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname 2620
    !
    no logging console
    !
    ip subnet-zero
    !
    !
    !
    ip audit notify log
    ip audit po max-events 100
    !
    crypto isakmp policy 5
    authentication pre-share
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key none address 10.10.10.1
    !
    !
    crypto ipsec transform-set Best esp-3des esp-sha-hmac
    crypto ipsec transform-set s2s1 esp-des esp-sha-hmac
    !
    crypto map MyMap 10 ipsec-isakmp
    set peer 111.111.111.202
    set transform-set Best
    match address 100
    !
    crypto map vpn local-address Tunnel0
    crypto map vpn 10 ipsec-isakmp
    set peer 10.10.10.1
    set transform-set s2s1
    match address 108
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel0
    ip address 10.10.10.2 255.255.255.0
    tunnel source 333.333.333.122
    tunnel destination 111.111.111.202
    crypto map vpn
    !
    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    duplex auto
    speed auto
    !
    interface Serial0/0
    ip address 333.333.333.122 255.255.255.252
    ip nat outside
    encapsulation ppp
    service-module t1 timeslots 1-24
    crypto map vpn
    !
    router eigrp 100
    network 10.10.10.0 0.0.0.255
    network 192.168.1.0
    no auto-summary
    !
    ip nat pool swim 444.444.444.161 444.444.444.174 netmask 255.255.255.240
    ip nat inside source route-map nonat pool swim overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 333.333.333.121
    no ip http server
    !
    access-list 100 permit ip 444.444.444.160 0.0.0.15 172.16.0.0 0.0.7.255
    access-list 100 permit ip 444.444.444.160 0.0.0.15 222.222.222.0 0.0.0.63
    access-list 108 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
    access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.0
    access-list 109 permit ip 192.168.1.0 0.0.0.255 any
    access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
    access-list 110 permit ip host 222.222.222.2 host 444.444.444.161
    access-list 110 permit ip host 444.444.444.161 host 222.222.222.2
    access-list 111 permit ip any host 444.444.444.162
    access-list 111 permit ip any host 444.444.444.172
    route-map nonat permit 10
    match ip address 109
    !
    !
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 20 0
    line aux 0
    line vty 0 4
    session-timeout 20
    exec-timeout 20 0
    no login
    !
    end
    , May 26, 2010
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page