SRX to ASA VPN Dropout

mwdmeyer · ‎03-11-2008

Hi All,

I am wondering if anyone could help me with this problem I am having.

I have a Juniper SRX 210 (JunOS 11.4) and a Cisco ASA 5510. I am having VPN drop out issues. When connected the VPN works fine without issues, the problem is that it always drops out.

The internet connection at both sites is stable. The Cisco has a bunch of VPNs to other Ciscos without issues and the Juniper SRX has a couple of VPNs to other Juniper SSGs also without issue.

I have tried different dead-peer-detection and no-anti-replay (as recommended by JTAC) on the SRX site, no help.

It seems to be an issue with Phase2. The VPN will reconnect itself after about 5 minutes.

Here are the details:

Y.Y.Y.Y = Juniper SRX Public IP
X.X.X.X = Cisco ASA Public IP

Cisco ASA Config

name Y.Y.Y.Y DALEGROUP_Office_Public

access-list no_nat_inside extended permit ip JET_Head_Private 255.255.255.0 DALEGROUP_Office_Private 255.255.252.0 
access-list l2l_Dalegroup_Office extended permit ip JET_Head_Private 255.255.255.0 DALEGROUP_Office_Private 255.255.252.0 

nat (inside) 0 access-list no_nat_inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map jetvpn 150 match address l2l_Dalegroup_Office
crypto map jetvpn 150 set pfs 
crypto map jetvpn 150 set peer DALEGROUP_Office_Public 
crypto map jetvpn 150 set transform-set 3des_set ESP-3DES-SHA

tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y ipsec-attributes
 pre-shared-key *

Juniper SRX Config

IKE

    proposal pre-g2-3des-sha1-86400 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 86400;
    }

    policy JetOffice {
        mode main;
        proposals pre-g2-3des-sha1-86400;
        pre-shared-key ascii-text "xxx"; ## SECRET-DATA
    }

    gateway JetOffice {
        ike-policy JetOffice;
        address X.X.X.X;
        dead-peer-detection;
        external-interface at-1/0/0.0;
    }

IPSEC

    proposal esp-3des-sha1-3600 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }

    vpn JetVPNTunnel {
        bind-interface st0.1;
        ike {
            gateway JetOffice;
            no-anti-replay;
            proxy-identity {
                local 10.0.0.0/22;
                remote 192.168.0.0/24;
                service any;
            }
            ipsec-policy JetOffice;
        }
        establish-tunnels immediately;
    }

    policy JetOffice {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals esp-3des-sha1-3600;
    }

Juniper SRX Logs

Feb 27 14:42:47 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:42:47 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:43:27 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:43:27 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:44:48 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:44:48 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:45:12 ike_remove_callback: Start, delete SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:45:12 <none>:500 (Initiator) <-> X.X.X.X:500 { 3b89df0f e2864d32 - 34d0af27 6fd7a2af [0] / 0x6f3d4fb0 } QM; Connection timed out or error, calling callback
Feb 27 14:45:12 ike_delete_negotiation: Start, SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:45:12 ike_free_negotiation_qm: Start, nego = 0
Feb 27 14:45:12 ike_free_negotiation: Start, nego = 0
Feb 27 14:45:12 ike_free_id_payload: Start, id type = 4
Feb 27 14:45:12 ike_free_id_payload: Start, id type = 4
Feb 27 14:45:12 IPSec negotiation failed for SA-CFG JetVPNTunnel for local:Y.Y.Y.Y, remote:X.X.X.X IKEv1. status: Timed out
Feb 27 14:45:12    P2 ed info: flags 0x82, P2 error: Error ok
Feb 27 14:45:12 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 6695516
Feb 27 14:45:12   IKEv1 Error : Timeout
Feb 27 14:45:12 IPSec Rekey for SPI 0x0 failed
Feb 27 14:45:12 IPSec SA done callback called for sa-cfg JetVPNTunnel local:Y.Y.Y.Y, remote:X.X.X.X IKEv1 with status Timed out

Thanks for reading!

Satya1 · ‎01-17-2011

Hello,

I had similar issue, adding host-inbound-traffic system-services ike on external/untrust interface solved VPN connection drop issue. Can you please check if you had ike inbound allowed on SRX.

Regrads

Satya

mwdmeyer · ‎03-11-2008

Hi Satya,

Thanks for the tip. This was not added, so I have added it and let's see how it goes.

Thanks,

Michael.

mwdmeyer · ‎03-11-2008

It is still working, so it looks good. Thanks for your help!

Harika · ‎04-19-2012

I saw same issue and this forum helped..+1...

SRX to ASA VPN Dropout

Re: SRX to ASA VPN Dropout

Re: SRX to ASA VPN Dropout

Re: SRX to ASA VPN Dropout

Re: SRX to ASA VPN Dropout