SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 16
Registered: ‎01-20-2011
0

ASA cannot be initiator VPN to Juniper.

[ Edited ]

Hello

 

We try to connect Cisco Asa to SRX240.  3 subnets, route-police.We have connection(ping) between subnets but when conection drop down Asa cannot initialize connection, only Juniper can. Any idea ?

 

Srx config ( with only one subnets, right know):

st0 {
        description VPN1;
        unit 0 {
            family inet;
        }
        unit 1 {
            description VPN2;
            family inet;
        }
        unit 2 {
            family inet;
        }
        unit 3 {
            family inet;
        }
    }
}
security {
    ike {
        traceoptions {
            file size 5m;
            flag all;
        }
        proposal ike-proposal-IT{
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-policy1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "xxxxxxxxx"; ## SECRET-DATA
        }
        policy IKEtoIT{
            mode main;
            proposals ike-proposal-IT;
            pre-shared-key ascii-text "xxxxxxxxx"; ## SECRET-DATA
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address xx.xx.xx.xx;
            external-interface ge-0/0/14;
        }
        gateway IT-gate {
            ike-policy IKEtoIT;
            address xx.xx.xx.xx;
            dead-peer-detection;
            external-interface ge-0/0/14;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-IT {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy vpn-policy1 {
            proposal-set standard;
        }
        policy vpn-policy-IT {
            proposals ipsec-proposal-IT;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
        }
        
        vpn ike-vpn-IT2 {
            bind-interface st0.1;
            ike {
                gateway IT-gate;
                proxy-identity {
                    local 10.10.0.0/16;
                    remote 172.7.0.0/24;
                    service any;
                }
                ipsec-policy vpn-policy-IT;

 

 Cisco config:

 

 

name 172.7.0.0 LOC
name 10.10.0.0 REM

access-list VPN_It extended permit ip LOC 255.255.255.0 10.10.0.0 255.255.0.0 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df OUTSIDE

crypto isakmp identity address 
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto map OUTSIDE_VPN 1 match address VPN_It
crypto map OUTSIDE_VPN 1 set peer xx.xx.xx.xx
crypto map OUTSIDE_VPN 1 set transform-set ESP-3DES-MD5
crypto map OUTSIDE_VPN 1 set nat-t-disable

tunnel-group xx.xxx.xx.xx type ipsec-l2l
tunnel-group xx.xxx.xx.xx ipsec-attributes
pre-shared-key xxxxx
isakmp keepalive disable


 

            }
            establish-tunnels immediately;
        }
        
    }

 

 and kmd logs when we restart ASA.

Contributor
Posts: 16
Registered: ‎01-20-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

and when i run

clear security ike security-associations
clear security ipsec security-associations

 and restart vpn on ASA then no problem to initialize VPN from ASA side. Someone can help me ?

Recognized Expert
Posts: 121
Registered: ‎08-30-2010
0

Re: Only ASA cannot initialize VPN to Juniper.

Hi,

 

Can you check and confirm if ike is enabled under the host inbound services for ge-0/0/14 binded security-zone.

 

Hope this helps.
 
Regards,
Visitor
--------------------------------------------------​--------------------------------------------------​---
If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

 

Contributor
Posts: 16
Registered: ‎01-20-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

Yap ike is enable , i have  second vpn connection(st0.0) with other SRX and it's working all the time. Any idea ?

Contributor
Posts: 19
Registered: ‎01-17-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

hello,

 

You will have to define security policies from vpn zone to trust or destination zone to inititate tunnel from Cisco ASA.  

 

 

set security zones security-zone vpn interfaces st0.1

 

from-zone vpn to-zone trust {
policy vpn2tr {
match {
source-address 172.7.0.0/24;
destination-address 10.10.0.0/16;
application junos-icmp-all;
}
then {
permit;

 

 

 

Contributor
Posts: 16
Registered: ‎01-20-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

Problems is in vpn sessions, when tunnel is down Juniper store old session, i setup

vpn-monitor-options {
    interval 3;
    threshold 5;

 and now Asa can initiate connection but sometimes before Asa initiate connection i receive error

 Failed to match the peer proxy ids: p2_remote=ipv4_subnet(any:0,[0..7]=172.7.0.0/24) p2_local=ipv4_subnet(any:0,[0..7]=10.10.0.0/16) with the configured proxy ids: remote=ipv4_subnet(any:0,[0..7]=172.7.0.0/24) local=ipv4_subnet(any:0,[0..7]=10.10.)

 

 

Any ideas ?

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009

Re: Only ASA cannot initialize VPN to Juniper.

Juniper and Cisco do not use the same default timeouts for IKE/ISAKMP (Phase 1) nor IPsec (Phase 2).

 

Cisco uses a default ISAKMP lifetime of 86400 seconds (24 hours) and IPsec lifetime of 28800 seconds (8 hours).

 

The SRX uses a default IKE (ISAKMP) lifetime of 28800 seconds (8 hours) and IPsec lifetime of 3600 seconds (1 hour).

 

If / when these don't match on the two ends of a VPN tunnel, there can be situations where the tunnel state is out of sync.  One side might think there are established SAs for a tunnel, the other side does not.  I would suggest you tune the timeouts to match on both sides and see if that helps clear up the issues you are seeing.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
Contributor
Posts: 16
Registered: ‎01-20-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

Thx for help.

I think you have right, i setup lifetime like in cisco and it's much better but still no perfect. I have every 8h break 10min befor juniper again create tunnel, and always juniper is initiator.Should i tune lifetime again? it'll be different then in cisco.

Any idea ?

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0

Re: Only ASA cannot initialize VPN to Juniper.

A couple ideas...

 

1.  Disable vpn-monitor on your SRX side.  vpn-monitor is a Juniper proprietary protocol, the ASA is not going to understand it and is just going to drop the monitor packets.

 

2.  Enable DPD (Dead Peer Detection) on the ASA.  You have it enabled on your SRX with the default settings, which are interval 10 seconds and threshold 5.  On the ASA, the defaults are 10 seconds and interval 2.  You can set the interval/threshold on the ASA to match the SRX, or you can set the SRX to match the ASA defaults.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Posts: 16
Registered: ‎01-20-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

"On the ASA, the defaults are 10 seconds and interval 2."

Interval 10 right ?

 

I disable monitoring and setup DPD and the break is take much more time. Any other ideas?

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0

Re: Only ASA cannot initialize VPN to Juniper.


lukibest wrote:

"On the ASA, the defaults are 10 seconds and interval 2."

Interval 10 right ?

 

I disable monitoring and setup DPD and the break is take much more time. Any other ideas?


Sorry about that, I rushed through the documentation and wasn't clear.

 

On the ASA, the behavior is as such:

 

isakmp keepalive threshold <threshold> retry <retry-interval>

 

The default threshold is 10, and the default retry-interval is 2 (at least it was last time I checked.)

 

That means that if encrypted traffic is not seen on the tunnel for 10 seconds (the threshold), then the ASA will send a R-U-THERE packet.  If it does not get a response, after 2 seconds (the retry-interval), it will send another R-U-THERE.  It will do this up to 3 times, for a total of 4 R-U-THERE attempts.  If, after 4 R-U-THERE attempts (the initial, plus 3 retries), it does not receive a response, it considers the peer "Dead."

 

The retry-count is not configurable on the ASA, it is hard set to 3, which means 4 total attempts.

 

To make your SRX match, set your dead-peer-detection under the ike gateway with threshold 10 and interval 2.

 

You can do a "show isakmp sa detail" and look at the details of the Phase 1 SA's.  You should see something like this:

 

Session-id:1196, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id                 Local                Remote     Status         Role
1359671165     192.168.1.1/500         10.0.0.1/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK 
      Life/Active Time: 86400/41217 sec
      Session-id: 1196
      Status Description: Negotiation done
      Local spi: 1A39BEA095440C19       Remote spi: 3C716DF74A83060D
      Local id: 192.168.1.1
      Remote id: 10.0.0.1
      Local req mess id: 157            Remote req mess id: 2
      Local next mess id: 157           Remote next mess id: 2
      Local req queued: 157             Remote req queued: 2
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected  
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.1.0.0/0 - 10.1.0.255/65535
          ESP spi in/out: 0xea59ebfe/0x543c119  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 10.2.0.0/0 - 10.2.0.127/65535
          ESP spi in/out: 0x271f5f7d/0x9253dec3  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

 

There you can see the DPD line saying how it's configured.

 

You can also do a "show isakmp stats | i DPD"  and look at the DPDs sent and received.  Optionally, you can get funky with a "debug crypto isakmp" and watch for DPD messages sent or received.

 

Oddly, LOL, I can't seem to find a magic command on the SRX to show DPD statistics (sent/received, etc.).  Maybe I'm getting too old for this stuff.  Smiley LOL

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Contributor
Posts: 16
Registered: ‎01-20-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

Thx for answer and help i will try tune this settings.

 

BTW.

"To make your SRX match, set your dead-peer-detection under the ike gateway with threshold 10 and interval 2."

 

In SRX i can setup only threshold 1-5 and interval 10-60.

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0

Re: Only ASA cannot initialize VPN to Juniper.


lukibest wrote:

 

In SRX i can setup only threshold 1-5 and interval 10-60.


Yeah, good point.

 

It's confusing that the ASA and SRX do not use the word "threshold" to mean the same thing.

 

In that case, it's a judgement call.  You could set the SRX to 10 seconds and 3 retries, and then set the ASA retry-interval to 10 (since it's locked to a retry count of 3).  That would make them match, at least.  You'd have a possible 40-second max delay before peers were detected dead.

 

If your timers don't match, then the ASA might detect a dead peer faster than the SRX, but if the ASA says "my peer is dead, I'm going to try to re-establish" and the SRX still thinks its peer is alive during that window of 30 seconds or so where they're out of sync, I don't know if the SRX would honor the renegoiate request from the ASA or drop it.  That might have to be tested in a lab to see what happens there.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Regular Visitor
Posts: 1
Registered: ‎08-11-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

Hi everyone,

 

If you use VPN Monitor with third parties either you disable this funtionaly or you set the source interface and the destination IP of this check.

 

I have a similar problem with VPN Monitor and I fixed it with that change:

 

 vpn VPN  {            

                   bind-interface st0.0;            

                    vpn-monitor {                

                                optimized;                

                                source-interface ge-0/0/1.0;                

                                destination-ip 10.0.1.2;

 

Take into account the destination IP must match ranges of IPs belonging to cypher traffic. The source interface will be the source for the VPN Monitor.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10119&smlogin=true

 

Best Regards,

 

Fran

Contributor
Posts: 25
Registered: ‎02-03-2011
0

Re: Only ASA cannot initialize VPN to Juniper.

Keith,

 

I've tied turning off DPD in a aggressive mode VPN between an SRX and Sonicwall TZ100.  The Sonicwalls re-establish attempts do not work unless the SRX considers the peer dead.  I have since turned on "respond bad spi" and have not tested to see if that makes a difference.

 

On the SRX DPD settings...... i thought the interval was the period of time that could pass without seeing traffic before sending a DPD R_U_THERE (assuming "always send" is not turned on), and that the threshold was the number of failed attempts before a "dead peer" state is reached.

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0

Re: Only ASA cannot initialize VPN to Juniper.


junostim wrote:

 

I've tied turning off DPD in a aggressive mode VPN between an SRX and Sonicwall TZ100.  The Sonicwalls re-establish attempts do not work unless the SRX considers the peer dead.  I have since turned on "respond bad spi" and have not tested to see if that makes a difference.


"respond bad spi" is dependent upon the remote side sending the "bad spi" message.  Depending on what kind of device it is and how it's configured, this may or may not have a noticeable effect.


On the SRX DPD settings...... i thought the interval was the period of time that could pass without seeing traffic before sending a DPD R_U_THERE (assuming "always send" is not turned on), and that the threshold was the number of failed attempts before a "dead peer" state is reached.


The interval is how long the SRX will wait without seeing incoming traffic on the tunnel before it sends an R_U_THERE.  However, again, this is different on the SRX vs. ASA.  I have not found any documentation on anything resembling a "retry timer" on the SRX.  The most I have found is that the ScreenOS devices, the "retry interval" is the same as the defined interval, and the threshold is the number of failed attempts before the peer is considered "dead."  I'm going under the assumption that the SRX behaves the same as ScreenOS for these purposes.

 

Looking back at my own posts, it looks like I confused even myself.

 

Let's reset and start again.

 

ASA:  threshold:  10 seconds      retry-inteval:  10 seconds     Since the ASA is hard-coded to a retry-count of 3, this is a total delay of 40 seconds.  the initial 10 second threshold, then 3 retries with 10 second wait.  After 40 seconds, the peer is "dead."

 

SRX:  interval:  10 seconds, threshold 4     (4 failed attempts, 10 seconds apart, total of possible 40 second delay before peer is "dead")

 

If you want to get more aggressive (and have busy tunnels, otherwise it could cause the tunnels to tear down prematurely) you could try ASA: threshold 5, retry-interval 5, and SRX interval 5, threshold 4.    That would be 20 seconds on both ends.  You could also use "always send" if the tunnels aren't busy.

 

Remember that the ASA and SRX have quite different meanings of "threshold."

 

Unless I've tangled myself up again trying to keep it straight in my head, these settings should at least get the timers to match on both sides.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.