ASA cannot be initiator VPN to Juniper.

lukibest · ‎01-20-2011

Hello

We try to connect Cisco Asa to SRX240. 3 subnets, route-police.We have connection(ping) between subnets but when conection drop down Asa cannot initialize connection, only Juniper can. Any idea ?

Srx config ( with only one subnets, right know):

st0 {
        description VPN1;
        unit 0 {
            family inet;
        }
        unit 1 {
            description VPN2;
            family inet;
        }
        unit 2 {
            family inet;
        }
        unit 3 {
            family inet;
        }
    }
}
security {
    ike {
        traceoptions {
            file size 5m;
            flag all;
        }
        proposal ike-proposal-IT{
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-policy1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "xxxxxxxxx"; ## SECRET-DATA
        }
        policy IKEtoIT{
            mode main;
            proposals ike-proposal-IT;
            pre-shared-key ascii-text "xxxxxxxxx"; ## SECRET-DATA
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address xx.xx.xx.xx;
            external-interface ge-0/0/14;
        }
        gateway IT-gate {
            ike-policy IKEtoIT;
            address xx.xx.xx.xx;
            dead-peer-detection;
            external-interface ge-0/0/14;
        }
    }
    ipsec {
        traceoptions {
            flag all;
        }
        proposal ipsec-proposal-IT {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy vpn-policy1 {
            proposal-set standard;
        }
        policy vpn-policy-IT {
            proposals ipsec-proposal-IT;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
        }
        
        vpn ike-vpn-IT2 {
            bind-interface st0.1;
            ike {
                gateway IT-gate;
                proxy-identity {
                    local 10.10.0.0/16;
                    remote 172.7.0.0/24;
                    service any;
                }
                ipsec-policy vpn-policy-IT;

Cisco config:

name 172.7.0.0 LOC
name 10.10.0.0 REM

access-list VPN_It extended permit ip LOC 255.255.255.0 10.10.0.0 255.255.0.0 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df OUTSIDE

crypto isakmp identity address 
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto map OUTSIDE_VPN 1 match address VPN_It
crypto map OUTSIDE_VPN 1 set peer xx.xx.xx.xx
crypto map OUTSIDE_VPN 1 set transform-set ESP-3DES-MD5
crypto map OUTSIDE_VPN 1 set nat-t-disable

tunnel-group xx.xxx.xx.xx type ipsec-l2l
tunnel-group xx.xxx.xx.xx ipsec-attributes
pre-shared-key xxxxx
isakmp keepalive disable


 

            }
            establish-tunnels immediately;
        }
        
    }

and kmd logs when we restart ASA.

lukibest · ‎01-20-2011

and when i run

clear security ike security-associations
clear security ipsec security-associations

and restart vpn on ASA then no problem to initialize VPN from ASA side. Someone can help me ?

Visitor · ‎08-30-2010

Hi,

Can you check and confirm if ike is enabled under the host inbound services for ge-0/0/14 binded security-zone.

Hope this helps.

Regards,
Visitor
-------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated

lukibest · ‎01-20-2011

Yap ike is enable , i have second vpn connection(st0.0) with other SRX and it's working all the time. Any idea ?

Satya1 · ‎01-17-2011

hello,

You will have to define security policies from vpn zone to trust or destination zone to inititate tunnel from Cisco ASA.

set security zones security-zone vpn interfaces st0.1

from-zone vpn to-zone trust {
policy vpn2tr {
match {
source-address 172.7.0.0/24;
destination-address 10.10.0.0/16;
application junos-icmp-all;
}
then {
permit;

lukibest · ‎01-20-2011

Problems is in vpn sessions, when tunnel is down Juniper store old session, i setup

vpn-monitor-options {
    interval 3;
    threshold 5;

and now Asa can initiate connection but sometimes before Asa initiate connection i receive error

 Failed to match the peer proxy ids: p2_remote=ipv4_subnet(any:0,[0..7]=172.7.0.0/24) p2_local=ipv4_subnet(any:0,[0..7]=10.10.0.0/16) with the configured proxy ids: remote=ipv4_subnet(any:0,[0..7]=172.7.0.0/24) local=ipv4_subnet(any:0,[0..7]=10.10.)

Any ideas ?

keithr · ‎09-10-2009

Juniper and Cisco do not use the same default timeouts for IKE/ISAKMP (Phase 1) nor IPsec (Phase 2).

Cisco uses a default ISAKMP lifetime of 86400 seconds (24 hours) and IPsec lifetime of 28800 seconds (8 hours).

The SRX uses a default IKE (ISAKMP) lifetime of 28800 seconds (8 hours) and IPsec lifetime of 3600 seconds (1 hour).

If / when these don't match on the two ends of a VPN tunnel, there can be situations where the tunnel state is out of sync. One side might think there are established SAs for a tunnel, the other side does not. I would suggest you tune the timeouts to match on both sides and see if that helps clear up the issues you are seeing.

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

lukibest · ‎01-20-2011

Thx for help.

I think you have right, i setup lifetime like in cisco and it's much better but still no perfect. I have every 8h break 10min befor juniper again create tunnel, and always juniper is initiator.Should i tune lifetime again? it'll be different then in cisco.

Any idea ?

keithr · ‎09-10-2009

A couple ideas...

1. Disable vpn-monitor on your SRX side. vpn-monitor is a Juniper proprietary protocol, the ASA is not going to understand it and is just going to drop the monitor packets.

2. Enable DPD (Dead Peer Detection) on the ASA. You have it enabled on your SRX with the default settings, which are interval 10 seconds and threshold 5. On the ASA, the defaults are 10 seconds and interval 2. You can set the interval/threshold on the ASA to match the SRX, or you can set the SRX to match the ASA defaults.

-kr
JNCIS-SEC, JNCIA-ER, JNCIA-EX

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

lukibest · ‎01-20-2011

"On the ASA, the defaults are 10 seconds and interval 2."

Interval 10 right ?

I disable monitoring and setup DPD and the break is take much more time. Any other ideas?

ASA cannot be initiator VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.

Re: Only ASA cannot initialize VPN to Juniper.