Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN not passing traffic

Status
Not open for further replies.
MRALC

MRALC

IS-IT--Management
Joined
Feb 21, 2002
Messages
8
Location
GB
Hi All,

I hope you can help, as i have been trying to get this to work for the last couple of days.

We had a netscreen in our office to support are remote site, we had a 5GT with policy based vpn tunnels to the remote site which also run 5GT. We have more then 10 sites to support, So i got a second hand ns204 and erased to factory settings and uprgared firmware to 5.4.

I can get the tunnel to come up and can see the SA status is active under the monitor status on both netscreen. But i cant seem to pass any traffic via the VPN tunnel. IF enable logging on the ploicy on both netscreen. I can see the traffic going out on the ns204, But no data in the logs on the 5gt on the remote site.

I have tried most things and have got ns204 talking to other netscreen 5gt fine!

Hope some one can help

Thanks

Al
 
Sort by date Sort by votes
Hello,

I would enable debugging on each end of the tunnel and check the db stream. I would also try and use a few flow filters.

On 204:
set ff dst-ip x.x.x.x ip-proto 1
set ff dst-ip y.y.y.y ip-proto 50

On 5GT:
set ff src-ip y.y.y.y ip-proto 50
set ff src-ip z.z.z.z ip-proto 1
set ff dst-ip x.x.x.x ip-proto 1

NOTE:
x.x.x.x = trust ip on 5gt
y.y.y.y = 5gt untrust ip
z.z.z.z = trust ip on 204

debug flow basic <-- on both NS's
clear db <-- on both NS's

From 204:
ping x.x.x.x from (trust interface)

get db str <-- on both NS's

undebug all
clear db

If you like, feel free to paste the results of "get db str" to this site.



Rgds,

John
 
Upvote 0 Downvote
Hi Thansks for your reply, sorry i have not posted before!

Here is the ouput

i have changed the real ip address to

ns204IP is the untrusted interface of the 204
NS204GatewayIP is router IP.
NS5GTIP is the 5GT is the untrusted interface 204

# 2007-03-30 11:54:02 : NHTB entry search found: vpn none tif tunnel.2 nexthop

192.168.35.1 tunnelid 0x4, flag 0x1, status 8

****** 265384.0: <Self/self> packet received [128]******

ipid = 9410(24c2), @c25349d4

flow_self_vector2: send pack with current vid =0, enc_size:0

processing packet through normal path.

packet passed sanity check.

self:192.168.2.1/2500->192.168.35.1/1024,1(8/0)<Root>

no session found

created new session from self 126872

search route to (null, 0.0.0.0->192.168.35.1) in vr trust-vr for vsd-0/flag-2

00/ifp-tunnel.2

[ Dest] 7.route 192.168.35.1->192.168.35.1, to tunnel.2

routed 192.168.35.1 next hop 192.168.35.1, from self

existing vector list 4-55cdd10.

processing packet from self

flow_first_install_session======>

flow got session.

flow session id 126872

skip ttl adjust for packet from self.

skipping pre-frag

going into tunnel 40000004.

flow_encrypt: pipeline.

chip info: PIO. Tunnel id 00000004

(vn2) doing ESP encryption and size =136

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

put packet(5579cb0) into flush queue.

remove packet(5579cb0) out from flush queue.



**** jump to packet:ns204IP->NS5gtIP

out encryption tunnel 40000004 gw:NS204GatewayIP

no more encapping needed

send out through normal path.

flow_ip_send: 24c4:ns204IP->NS5gtIP => ethernet3(184) flag 0x2

0080, vlan 0

mac 000c466e98e6 in session

Send to ethernet3 (198)

**** pak processing end.

****** 265384.0: <Untrust/ethernet3> packet received [184]******

ipid = 31164(79bc), @d784b910

packet passed sanity check.

ethernet3:ns204IP/29457->NS5gtIP /13752,50<Root>

existing session found. sess token 6

flow got session.

flow session id 127769

flow_decrypt: 4b526d8(b), flow_decrypt: 4b526d8(b)pipeline.

IPv4 encrypted pak.

Dec: SPI = 731135b8, Data Len = 184

SA tunnel id=0x00000004, flag<00002067>

chip info: DMA. Tunnel id 00000004

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

## 2007-03-30 11:54:03 : NHTB entry search found: vpn none tif tunnel.2 nexthop

192.168.35.1 tunnelid 0x4, flag 0x1, status 8

****** 265385.0: <Self/self> packet received [128]******

ipid = 9413(24c5), @c25349d4

flow_self_vector2: send pack with current vid =0, enc_size:0

processing packet through normal path.

packet passed sanity check.

self:192.168.2.1/2600->192.168.35.1/1024,1(8/0)<Root>

no session found

created new session from self 127276

search route to (null, 0.0.0.0->192.168.35.1) in vr trust-vr for vsd-0/flag-2

00/ifp-tunnel.2

[ Dest] 7.route 192.168.35.1->192.168.35.1, to tunnel.2

routed 192.168.35.1 next hop 192.168.35.1, from self

existing vector list 4-55cdd10.

processing packet from self

flow_first_install_session======>

flow got session.

flow session id 127276

skip ttl adjust for packet from self.

skipping pre-frag

going into tunnel 40000004.

flow_encrypt: pipeline.

chip info: PIO. Tunnel id 00000004

(vn2) doing ESP encryption and size =136

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

put packet(5579cb0) into flush queue.

remove packet(5579cb0) out from flush queue.



**** jump to packet:ns204IP->NS5gtIP
out encryption tunnel 40000004 gw:NS204GatewayIP

no more encapping needed

send out through normal path.

flow_ip_send: 24c7:ns204IP->NS5gtIP,50 => ethernet3(184) flag 0x2

0080, vlan 0

mac 000c466e98e6 in session

Send to ethernet3 (198)

**** pak processing end.

****** 265385.0: <Untrust/ethernet3> packet received [184]******

ipid = 31166(79be), @d784c910

packet passed sanity check.

ethernet3:ns204IP/29457->NS5gtIP/13752,50<Root>

existing session found. sess token 6

flow got session.

flow session id 127769

flow_decrypt: 4b526d8(b), flow_decrypt: 4b526d8(b)pipeline.

IPv4 encrypted pak.

Dec: SPI = 731135b8, Data Len = 184

SA tunnel id=0x00000004, flag<00002067>

chip info: DMA. Tunnel id 00000004

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

## 2007-03-30 11:54:04 : NHTB entry search found: vpn none tif tunnel.2 nexthop

192.168.35.1 tunnelid 0x4, flag 0x1, status 8

****** 265386.0: <Self/self> packet received [128]******

ipid = 9416(24c8), @c25349d4

flow_self_vector2: send pack with current vid =0, enc_size:0

processing packet through normal path.

packet passed sanity check.

self:192.168.2.1/2700->192.168.35.1/1024,1(8/0)<Root>

no session found

created new session from self 127985

search route to (null, 0.0.0.0->192.168.35.1) in vr trust-vr for vsd-0/flag-2

00/ifp-tunnel.2

[ Dest] 7.route 192.168.35.1->192.168.35.1, to tunnel.2

routed 192.168.35.1 next hop 192.168.35.1, from self

existing vector list 4-55cdd10.

processing packet from self

flow_first_install_session======>

flow got session.

flow session id 127985

skip ttl adjust for packet from self.

skipping pre-frag

going into tunnel 40000004.

flow_encrypt: pipeline.

chip info: PIO. Tunnel id 00000004

(vn2) doing ESP encryption and size =136

ipsec encrypt prepare engine done

ipsec encrypt set engine done

ipsec encrypt engine released

ipsec encrypt done

put packet(5579cb0) into flush queue.

remove packet(5579cb0) out from flush queue.

-----

Thanks for yor help

al
 
Upvote 0 Downvote
Hi,

OK, it appears your traffic is being route, permitted and encrypted on this end OK. Do you have the debug output from the remote Netscreen? Please post it.

Rgds,

John
 
Upvote 0 Downvote
Here you go.

Al

--------------


## 14:08:47 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:47 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:47 : IKE<ns204IP > ****** Recv kernel msg IDX-0, TYPE-5 ******

## 14:08:47 : IKE<ns204IP > Phase 1: Initiated negotiation in main mode.

<NS5GTIP => ns204IP >

## 14:08:47 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:47 : IKE<ns204IP > Construct [SA] for ISAKMP

## 14:08:47 : IKE<ns204IP > Construct NetScreen [VID]

## 14:08:47 : IKE<ns204IP > Construct custom [VID]

## 14:08:47 : IKE<ns204IP > Xmit : [SA] [VID] [VID]

## 14:08:47 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:47 : IKE<ns204IP > Recv : [SA] [VID] [VID] [VID]

## 14:08:47 : IKE<ns204IP > Process [VID]:

## 14:08:47 : IKE<ns204IP > Process [VID]:

## 14:08:47 : IKE<ns204IP > rcv non-NAT-Traversal VID payload.

## 14:08:47 : IKE<ns204IP > Process [VID]:

## 14:08:47 : IKE<ns204IP > Process [SA]:

## 14:08:47 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:47 : IKE<ns204IP > Construct [KE] for ISAKMP

## 14:08:47 : IKE<ns204IP > Construct [NONCE]

## 14:08:47 : IKE<ns204IP > Xmit : [KE] [NONCE]

## 14:08:47 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:47 : IKE<ns204IP > Recv : [KE] [NONCE]

--- more ---

## 14:08:47 : IKE<ns204IP > Process [KE]:

## 14:08:47 : IKE<ns204IP > Process [NONCE]:

## 14:08:47 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:47 : IKE<ns204IP > Construct [ID] for ISAKMP

## 14:08:47 : IKE<ns204IP > Construct [HASH]

## 14:08:47 : IKE<ns204IP > Xmit*: [ID] [HASH]

## 14:08:48 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:48 : IKE<ns204IP > Recv*: [ID] [HASH]

## 14:08:48 : IKE<ns204IP > Process [ID]:

## 14:08:48 : IKE<ns204IP > Process [HASH]:

## 14:08:48 : IKE<ns204IP > Phase 1: Completed Main mode negotiation wit

a <28800>-second lifetime.

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH]

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH] [DELETE]

## 14:08:48 : IKE<ns204IP > Phase 2: Initiated Quick Mode negotiation.

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH]

## 14:08:48 : IKE<ns204IP > Construct [SA] for IPSEC

## 14:08:48 : IKE<ns204IP > Construct [NONCE] for IPSec

## 14:08:48 : IKE<ns204IP > Construct [ID] for Phase 2

## 14:08:48 : IKE<ns204IP > Construct [ID] for Phase 2

## 14:08:48 : IKE<ns204IP > Construct [NOTIF] (NOTIFY_NS_NHTB_INFORM) fo

IPSEC

--- more ---

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] [NOTIF]

## 14:08:48 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:48 : IKE<ns204IP > Recv*: [HASH] [SA] [NONCE] [ID] [ID] [NOTIF]

## 14:08:48 : IKE<ns204IP > Process [SA]:

## 14:08:48 : IKE<ns204IP > Process [NONCE]:

## 14:08:48 : IKE<ns204IP > Process [ID]:

## 14:08:48 : IKE<ns204IP > Process [ID]:

## 14:08:48 : IKE<ns204IP > Process [NOTIF]:

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH]

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH] [DELETE]

## 14:08:48 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:48 : IKE<ns204IP > Phase 2 msg-id <12b94420>: Completed Quick M

de negotiation with SPI <b1408bbb>, tunnel ID <3>, and lifetime <3600> seconds/

0> KB.

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH] in QM

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH]

## 14:08:49 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:49 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:52 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:52 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:54 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:54 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

--- more ---

## 14:08:57 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:57 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8
 
Upvote 0 Downvote
Here we go:

## 14:08:47 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:47 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:47 : IKE<ns204IP > ****** Recv kernel msg IDX-0, TYPE-5 ******

## 14:08:47 : IKE<ns204IP > Phase 1: Initiated negotiation in main mode.

<NS5GTIP => ns204IP >

## 14:08:47 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:47 : IKE<ns204IP > Construct [SA] for ISAKMP

## 14:08:47 : IKE<ns204IP > Construct NetScreen [VID]

## 14:08:47 : IKE<ns204IP > Construct custom [VID]

## 14:08:47 : IKE<ns204IP > Xmit : [SA] [VID] [VID]

## 14:08:47 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:47 : IKE<ns204IP > Recv : [SA] [VID] [VID] [VID]

## 14:08:47 : IKE<ns204IP > Process [VID]:

## 14:08:47 : IKE<ns204IP > Process [VID]:

## 14:08:47 : IKE<ns204IP > rcv non-NAT-Traversal VID payload.

## 14:08:47 : IKE<ns204IP > Process [VID]:

## 14:08:47 : IKE<ns204IP > Process [SA]:

## 14:08:47 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:47 : IKE<ns204IP > Construct [KE] for ISAKMP

## 14:08:47 : IKE<ns204IP > Construct [NONCE]

## 14:08:47 : IKE<ns204IP > Xmit : [KE] [NONCE]

## 14:08:47 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:47 : IKE<ns204IP > Recv : [KE] [NONCE]

--- more ---

## 14:08:47 : IKE<ns204IP > Process [KE]:

## 14:08:47 : IKE<ns204IP > Process [NONCE]:

## 14:08:47 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:47 : IKE<ns204IP > Construct [ID] for ISAKMP

## 14:08:47 : IKE<ns204IP > Construct [HASH]

## 14:08:47 : IKE<ns204IP > Xmit*: [ID] [HASH]

## 14:08:48 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:48 : IKE<ns204IP > Recv*: [ID] [HASH]

## 14:08:48 : IKE<ns204IP > Process [ID]:

## 14:08:48 : IKE<ns204IP > Process [HASH]:

## 14:08:48 : IKE<ns204IP > Phase 1: Completed Main mode negotiation wit

a <28800>-second lifetime.

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH]

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH] [DELETE]

## 14:08:48 : IKE<ns204IP > Phase 2: Initiated Quick Mode negotiation.

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH]

## 14:08:48 : IKE<ns204IP > Construct [SA] for IPSEC

## 14:08:48 : IKE<ns204IP > Construct [NONCE] for IPSec

## 14:08:48 : IKE<ns204IP > Construct [ID] for Phase 2

## 14:08:48 : IKE<ns204IP > Construct [ID] for Phase 2

## 14:08:48 : IKE<ns204IP > Construct [NOTIF] (NOTIFY_NS_NHTB_INFORM) fo

IPSEC

--- more ---

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH] [SA] [NONCE] [ID] [ID] [NOTIF]

## 14:08:48 : IKE<ns204IP > ****** Recv packet if <adsl1> of vsys <Root>

******

## 14:08:48 : IKE<ns204IP > Recv*: [HASH] [SA] [NONCE] [ID] [ID] [NOTIF]

## 14:08:48 : IKE<ns204IP > Process [SA]:

## 14:08:48 : IKE<ns204IP > Process [NONCE]:

## 14:08:48 : IKE<ns204IP > Process [ID]:

## 14:08:48 : IKE<ns204IP > Process [ID]:

## 14:08:48 : IKE<ns204IP > Process [NOTIF]:

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH]

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH] [DELETE]

## 14:08:48 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:48 : IKE<ns204IP > Phase 2 msg-id <12b94420>: Completed Quick M

de negotiation with SPI <b1408bbb>, tunnel ID <3>, and lifetime <3600> seconds/

0> KB.

## 14:08:48 : IKE<ns204IP > Construct ISAKMP header.

## 14:08:48 : IKE<ns204IP > Construct [HASH] in QM

## 14:08:48 : IKE<ns204IP > Xmit*: [HASH]

## 14:08:49 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:49 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:52 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:52 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:54 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:54 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

--- more ---

## 14:08:57 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

## 14:08:57 : NHTB entry search found: vpn none tif tunnel.1 nexthop 192.168.2.

tunnelid 0x3, flag 0x1, status 8

 
Upvote 0 Downvote
Hi,

This doesn't really help. Did you apply flow filters at the remote site? We need to see the inbound IPSec packets. So I would apply a filter on the remote firewall that logs ip protocol 50 using the public source IP of the local FW. Keep me posted.

Rgds,

John
 
Upvote 0 Downvote
Netscreen 5GT IP Untrust Address = NS5GTIP
ns 204 IP Untrust Address = ns204IP

****** 2555986.0: <Untrust/adsl1> packet received [112]******

ipid = 11034(2b1a), @03995d44

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2555991.0: <Untrust/adsl1> packet received [112]******

ipid = 11035(2b1b), @03996624

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

--- more ---

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2555996.0: <Untrust/adsl1> packet received [112]******

ipid = 11036(2b1c), @03996f04

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

--- more ---

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2556001.0: <Untrust/adsl1> packet received [112]******

ipid = 11037(2b1d), @039977e4

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

simonlawford-> get db str

****** 2555986.0: <Untrust/adsl1> packet received [112]******

ipid = 11034(2b1a), @03995d44

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2555991.0: <Untrust/adsl1> packet received [112]******

ipid = 11035(2b1b), @03996624

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

--- more ---

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2555996.0: <Untrust/adsl1> packet received [112]******

ipid = 11036(2b1c), @03996f04

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

--- more ---

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2556001.0: <Untrust/adsl1> packet received [112]******

ipid = 11037(2b1d), @039977e4

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2556057.0: <Untrust/adsl1> packet received [112]******

ipid = 11038(2b1e), @039a55c4

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

--- more ---

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP

****** 2556062.0: <Untrust/adsl1> packet received [112]******

ipid = 11039(2b1f), @039a7064

packet passed sanity check.

adsl1:ns204IP/45376->NS5GTIP/35776,50<Root>

existing session found. sess token 3

flow got session.

flow session id 4

flow_decrypt: pipeline.

Dec: SPI=b1408bc0, Data=112

SA tunnel id=0x00000006, flag<00002063>

chip info: PIO. Tunnel id 00000006

ipsec decrypt prepare done

ipsec decrypt set engine done

--- more ---

packet dropped, Auth failed!

PPP decap: got pak for IP: NS5GTIP, selfIP: NS5GTIP
 
Upvote 0 Downvote
Hi,

It looks like the remote firewall is dropping the inbound IPSEC traffic. Can you try to debug IKE on the remote firewall? Also, please enter the "get sa" command and post the output.

debug ike all
clear db
<ping from the local site)
get db str

Rgds,

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
ISDPCMAN
  • Locked
  • Question Question
RDP fails over VPN
Replies
1
Views
514
gkittelson
gkittelson
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
416
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
389
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top