I had to troubleshoot a site-to-site IPSec VPN in a Cisco ASA firewall in Multiple Context mode. The IKE Phase 1 State was stuck in MM_WAIT_MSG2, therefore IKE Phase 1 can't be established. The VPN tunnel was previously working and there were no changes in the ASA firewall. The IKE Phase 1 policy are the same on both ends and debug showed both the Security Association (SA) peer are reachable (ISAKMP/UDP 500 is open).
ciscoasa/VPN# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.8.6.4
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Using the show crypto isakmp sa detail command revealed something strange which was the Encrypt: aes-256 which is not configured in this context (it's configured on the remote Cisco ASA though) and Lifetime: 0 was displayed (no timer count down).
ciscoasa/VPN# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.8.6.4
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0
There are no IKEv2 SAs
The local Cisco ASA had only a single ISAKMP/IKE Phase 1 policy of AES 128 for encryption. I searched for a Cisco bug but found none.
ciscoasa/VPN# show run crypto
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
I tried to re-configure the GRE tunnel, crypto map, add IKE Phase 1 policy using AES-256 for encryption, re-configured the tunnel-group, changed IP address for interesting traffic/ACL but I still got the same Encrypt: aes-256 and Lifetime:0 output.
I was able to fix the issue by re-applying the VPN license for the VPN context resource class/limit under the "system" context.
ciscoasa/VPN# changeto system
ciscoasa#
ciscoasa# show run class
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
class VPN
limit-resource VPN Other 10
ciscoasa# conf t
ciscoasa(config)# context VPN
ciscoasaconfig-ctx)# no member VPN
ciscoasa(config-ctx)# member VPN
ciscoasa(config-ctx)# write memory
Building configuration...
Cryptochecksum: 0474f6fe d84a31ed a692dca2 ab52fd98
7473 bytes copied in 0.960 secs
[OK]
After the VPN resource class was re-applied, the IKE Phase 1 SA established the correct encryption (aes-128) and "Lifetime Remaining" counter had restarted.
ciscoasa/VPN# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.8.6.4
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 43200
Lifetime Remaining: 43197
There are no IKEv2 SAs
