Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSec VPN problem

Status
Not open for further replies.
jamesjames1

jamesjames1

Technical User
Jun 18, 2004
81
0
0
GB
Hi,

I am trying to get a tunnel up between a Cisco 800 series router and a Netscreen SSG box.

I am failing on Phase 1 of the negotiations. From what I can work out the initiating VPN box (netscreen) isnt receiving a reply from the cisco and therefore failing on phase 1.

I know that both machines are seeing each other as on botht eh NS and cisco are logging the same type of thing. I dont have access to the cisco but do the NS.

The logs on the NS are not good but are basically a debug on the IKE.

I have chedked the SA life times on both, I have checked that the phase 1 proposals are matching and they are. I am fairly familiar with juniper and am used to seeing some sort of useful error.

Does anyone have any ideas where to look, what is up?

I have succesfully initiated a tunel between the same router and a different Juniper SSG box with out any issues....

Here are my logs..

## 2008-08-06 22:43:45 : IKE<2.2.2.2> re-trans timer expired, msg retry (9) (10003/1)
## 2008-08-06 22:43:45 : IKE<2.2.2.2> Responder sending IPv4 IP 2.2.2.2/port 500
## 2008-08-06 22:43:45 : IKE<2.2.2.2> Send Phase 1 packet (len=160)
## 2008-08-06 22:43:45 : IKE<2.2.2.2> ike packet, len 208, action 1
## 2008-08-06 22:43:45 : IKE<2.2.2.2> Catcher: received 180 bytes from socket.
## 2008-08-06 22:43:45 : IKE<2.2.2.2> ****** Recv packet if <ethernet1/1> of vsys <Root> ******
## 2008-08-06 22:43:45 : IKE<2.2.2.2> Catcher: get 180 bytes. src port 500
## 2008-08-06 22:43:45 : IKE<0.0.0.0 > ISAKMP msg: len 180, nxp 1[SA], exch 2[MM], flag 00
## 2008-08-06 22:43:45 : IKE<2.2.2.2 > Recv : [SA] [VID] [VID] [VID]
## 2008-08-06 22:43:45 : IKE<2.2.2.2> Receive re-transmit IKE packet phase 1 SA(2.2.2.2) exchg(2) len(180)
## 2008-08-06 22:43:49 : IKE<2.2.2.2> re-trans timer expired, msg retry (10) (10003/1)
## 2008-08-06 22:43:49 : IKE<2.2.2.2> Responder sending IPv4 IP 2.2.2.2/port 500
## 2008-08-06 22:43:49 : IKE<2.2.2.2> Send Phase 1 packet (len=160)


 
Sort by date Sort by votes
Well, make sure group policies match (passwords, Diffie-Hellman group, etc.), make sure the right interesting traffic is specified in the acl, and make sure that port 500 is not blocked on the Cisco side. It would be best to have access to the Cisco, so we can compare configs, and see what happens when the Cisco box tries to initiate the VPN.

Burt
 
Upvote 0 Downvote
I got the logs from the Cisco. Want any more information?

*Apr 11 11:57:39.779: ISAKMP: received ke message (1/1)
*Apr 11 11:57:39.779: ISAKMP: set new node 0 to QM_IDLE
*Apr 11 11:57:39.779: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 213.83.110.149, remote 2.2.2.2)
*Apr 11 11:57:39.783: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Apr 11 11:57:39.783: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
*Apr 11 11:57:39.783: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Apr 11 11:57:39.783: ISAKMP:(0:0:N/A:0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 11 11:57:45.111: ISAKMP:(0:12:HW:2):purging node -1262882468
*Apr 11 11:57:45.123: ISAKMP (0:268435468): received packet from 1.1.1.1(cisco) dport 500 sport 500 Global (R) QM_IDLE
*Apr 11 11:57:45.123: ISAKMP: set new node -328225153 to QM_IDLE
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2): processing HASH payload. message ID = -328225153
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -328225153, sa = 823EF804
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2):deleting node -328225153 error FALSE reason "Informational (in) state 1"
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2):DPD/R_U_THERE received from peer 1.1.1.1(cisco), sequence 0x6034DCB6
*Apr 11 11:57:45.127: ISAKMP: set new node 1189941959 to QM_IDLE
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2183267240, message ID = 1189941959
*Apr 11 11:57:45.127: ISAKMP:(0:12:HW:2): seq. no 0x6034DCB6
*Apr 11 11:57:45.131: ISAKMP:(0:12:HW:2): sending packet to 1.1.1.1(cisco) my_port 500 peer_port 500 (R) QM_IDLE
*Apr 11 11:57:45.131: ISAKMP:(0:12:HW:2):purging node 1189941959
*Apr 11 11:57:45.131: ISAKMP:(0:12:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Apr 11 11:57:45.131: ISAKMP:(0:12:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
 
Upvote 0 Downvote
Looks like from first glance that the IKE keepalives are mismatched---phase 1 is indeed completing with the Cisco. What happens when the Cisco initiates the session???

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DavidSigma
  • Locked
  • Question
CP7861 problem
Replies
0
Views
53
DavidSigma
DavidSigma
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
42
quazimotto
quazimotto
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
74
Geraldine Souza
Geraldine Souza
canflyguy
  • Locked
  • Question
Cisco RV-340 SIP problem
Replies
1
Views
64
DrB0b
DrB0b
napoleao
  • Locked
  • Question
IPSec VPN
Replies
3
Views
47
napoleao
napoleao

Part and Inventory Search

Sponsor

Back
Top