Hi All,
I am wondering if anyone could help me with this problem I am having.
I have a Juniper SRX 210 (JunOS 11.4) and a Cisco ASA 5510. I am having VPN drop out issues. When connected the VPN works fine without issues, the problem is that it always drops out.
The internet connection at both sites is stable. The Cisco has a bunch of VPNs to other Ciscos without issues and the Juniper SRX has a couple of VPNs to other Juniper SSGs also without issue.
I have tried different dead-peer-detection and no-anti-replay (as recommended by JTAC) on the SRX site, no help.
It seems to be an issue with Phase2. The VPN will reconnect itself after about 5 minutes.
Here are the details:
Y.Y.Y.Y = Juniper SRX Public IP
X.X.X.X = Cisco ASA Public IP
Cisco ASA Config
name Y.Y.Y.Y DALEGROUP_Office_Public
access-list no_nat_inside extended permit ip JET_Head_Private 255.255.255.0 DALEGROUP_Office_Private 255.255.252.0
access-list l2l_Dalegroup_Office extended permit ip JET_Head_Private 255.255.255.0 DALEGROUP_Office_Private 255.255.252.0
nat (inside) 0 access-list no_nat_inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map jetvpn 150 match address l2l_Dalegroup_Office
crypto map jetvpn 150 set pfs
crypto map jetvpn 150 set peer DALEGROUP_Office_Public
crypto map jetvpn 150 set transform-set 3des_set ESP-3DES-SHA
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y ipsec-attributes
pre-shared-key *
Juniper SRX Config
IKE
proposal pre-g2-3des-sha1-86400 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy JetOffice {
mode main;
proposals pre-g2-3des-sha1-86400;
pre-shared-key ascii-text "xxx"; ## SECRET-DATA
}
gateway JetOffice {
ike-policy JetOffice;
address X.X.X.X;
dead-peer-detection;
external-interface at-1/0/0.0;
}
IPSEC
proposal esp-3des-sha1-3600 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
vpn JetVPNTunnel {
bind-interface st0.1;
ike {
gateway JetOffice;
no-anti-replay;
proxy-identity {
local 10.0.0.0/22;
remote 192.168.0.0/24;
service any;
}
ipsec-policy JetOffice;
}
establish-tunnels immediately;
}
policy JetOffice {
perfect-forward-secrecy {
keys group2;
}
proposals esp-3des-sha1-3600;
}
Juniper SRX Logs
Feb 27 14:42:47 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:42:47 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:43:27 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:43:27 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:44:48 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:44:48 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:45:12 ike_remove_callback: Start, delete SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:45:12 <none>:500 (Initiator) <-> X.X.X.X:500 { 3b89df0f e2864d32 - 34d0af27 6fd7a2af [0] / 0x6f3d4fb0 } QM; Connection timed out or error, calling callback
Feb 27 14:45:12 ike_delete_negotiation: Start, SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:45:12 ike_free_negotiation_qm: Start, nego = 0
Feb 27 14:45:12 ike_free_negotiation: Start, nego = 0
Feb 27 14:45:12 ike_free_id_payload: Start, id type = 4
Feb 27 14:45:12 ike_free_id_payload: Start, id type = 4
Feb 27 14:45:12 IPSec negotiation failed for SA-CFG JetVPNTunnel for local:Y.Y.Y.Y, remote:X.X.X.X IKEv1. status: Timed out
Feb 27 14:45:12 P2 ed info: flags 0x82, P2 error: Error ok
Feb 27 14:45:12 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 6695516
Feb 27 14:45:12 IKEv1 Error : Timeout
Feb 27 14:45:12 IPSec Rekey for SPI 0x0 failed
Feb 27 14:45:12 IPSec SA done callback called for sa-cfg JetVPNTunnel local:Y.Y.Y.Y, remote:X.X.X.X IKEv1 with status Timed out
Thanks for reading!