SRX Services Gateway
Reply
Trusted Contributor
mwdmeyer
Posts: 179
Registered: ‎03-11-2008
0
Accepted Solution

SRX to ASA VPN Dropout

Hi All,

 

I am wondering if anyone could help me with this problem I am having.

 

I have a Juniper SRX 210 (JunOS 11.4) and a Cisco ASA 5510. I am having VPN drop out issues. When connected the VPN works fine without issues, the problem is that it always drops out.

 

The internet connection at both sites is stable. The Cisco has a bunch of VPNs to other Ciscos without issues and the Juniper SRX has a couple of VPNs to other Juniper SSGs also without issue.

 

I have tried different dead-peer-detection and no-anti-replay (as recommended by JTAC) on the SRX site, no help.

 

It seems to be an issue with Phase2. The VPN will reconnect itself after about 5 minutes.

 

Here are the details:

 

Y.Y.Y.Y = Juniper SRX Public IP
X.X.X.X = Cisco ASA Public IP

 

Cisco ASA Config

name Y.Y.Y.Y DALEGROUP_Office_Public

access-list no_nat_inside extended permit ip JET_Head_Private 255.255.255.0 DALEGROUP_Office_Private 255.255.252.0 
access-list l2l_Dalegroup_Office extended permit ip JET_Head_Private 255.255.255.0 DALEGROUP_Office_Private 255.255.252.0 

nat (inside) 0 access-list no_nat_inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map jetvpn 150 match address l2l_Dalegroup_Office
crypto map jetvpn 150 set pfs 
crypto map jetvpn 150 set peer DALEGROUP_Office_Public 
crypto map jetvpn 150 set transform-set 3des_set ESP-3DES-SHA

tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y ipsec-attributes
 pre-shared-key *

 Juniper SRX Config

IKE

    proposal pre-g2-3des-sha1-86400 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 86400;
    }

    policy JetOffice {
        mode main;
        proposals pre-g2-3des-sha1-86400;
        pre-shared-key ascii-text "xxx"; ## SECRET-DATA
    }

    gateway JetOffice {
        ike-policy JetOffice;
        address X.X.X.X;
        dead-peer-detection;
        external-interface at-1/0/0.0;
    }

IPSEC

    proposal esp-3des-sha1-3600 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 3600;
    }

    vpn JetVPNTunnel {
        bind-interface st0.1;
        ike {
            gateway JetOffice;
            no-anti-replay;
            proxy-identity {
                local 10.0.0.0/22;
                remote 192.168.0.0/24;
                service any;
            }
            ipsec-policy JetOffice;
        }
        establish-tunnels immediately;
    }

    policy JetOffice {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals esp-3des-sha1-3600;
    }

 Juniper SRX Logs

Feb 27 14:42:47 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:42:47 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:43:27 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:43:27 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:44:48 ike_retransmit_callback: Start, retransmit SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:44:48 ike_send_packet: Start, retransmit previous packet SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0, dst = X.X.X.X:500 routing table id = 0
Feb 27 14:45:12 ike_remove_callback: Start, delete SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:45:12 <none>:500 (Initiator) <-> X.X.X.X:500 { 3b89df0f e2864d32 - 34d0af27 6fd7a2af [0] / 0x6f3d4fb0 } QM; Connection timed out or error, calling callback
Feb 27 14:45:12 ike_delete_negotiation: Start, SA = { 3b89df0f e2864d32 - 34d0af27 6fd7a2af}, nego = 0
Feb 27 14:45:12 ike_free_negotiation_qm: Start, nego = 0
Feb 27 14:45:12 ike_free_negotiation: Start, nego = 0
Feb 27 14:45:12 ike_free_id_payload: Start, id type = 4
Feb 27 14:45:12 ike_free_id_payload: Start, id type = 4
Feb 27 14:45:12 IPSec negotiation failed for SA-CFG JetVPNTunnel for local:Y.Y.Y.Y, remote:X.X.X.X IKEv1. status: Timed out
Feb 27 14:45:12    P2 ed info: flags 0x82, P2 error: Error ok
Feb 27 14:45:12 iked_pm_ipsec_sa_done: Phase2 failed 2/3 times for P1 SA 6695516
Feb 27 14:45:12   IKEv1 Error : Timeout
Feb 27 14:45:12 IPSec Rekey for SPI 0x0 failed
Feb 27 14:45:12 IPSec SA done callback called for sa-cfg JetVPNTunnel local:Y.Y.Y.Y, remote:X.X.X.X IKEv1 with status Timed out

 

Thanks for reading! 

Contributor
Satya1
Posts: 19
Registered: ‎01-17-2011

Re: SRX to ASA VPN Dropout

Hello,

 

I had similar issue, adding host-inbound-traffic system-services ike on external/untrust interface solved VPN connection drop issue. Can you please check if you had ike inbound allowed on SRX.

 

Regrads

Satya

 

Trusted Contributor
mwdmeyer
Posts: 179
Registered: ‎03-11-2008
0

Re: SRX to ASA VPN Dropout

Hi Satya,

 

Thanks for the tip. This was not added, so I have added it and let's see how it goes.

 

Thanks,

Michael.

Trusted Contributor
mwdmeyer
Posts: 179
Registered: ‎03-11-2008
0

Re: SRX to ASA VPN Dropout

It is still working, so it looks good. Thanks for your help!

New User
Harika
Posts: 2
Registered: ‎04-19-2012
0

Re: SRX to ASA VPN Dropout

I saw same issue and this forum helped..+1...

Visitor
burak@bntpro.com
Posts: 2
Registered: ‎07-13-2012
0

Re: SRX to ASA VPN Dropout

i have exactly the issue right now. 

 

and host inbound ike is already defined correctly but still phase 2 is down. phase 1 is up. 

 

my firewall is srx240 other site is fortigate fw. 

 

mine is route based other site is policy based.

 

i also receive this warning:

 

Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg....

 

please helppppp :smileysad:

Visitor
burak@bntpro.com
Posts: 2
Registered: ‎07-13-2012
0

Re: SRX to ASA VPN Dropout

i have exactly the same issue and my problem couldnt solve. i ve already defined host inbound ike on external..

 

do yu have any idea ?

 

May 24 20:26:46 <none>:500 (Initiator) <-> 46.234.x.x:500 { ad6d7c11 06323531 - b64f8a4b 0d53f63f [0] / 0xc9a9c54d } QM; Connection timed out or error, calling callback
May 24 20:26:46 ike_delete_negotiation: Start, SA = { ad6d7c11 06323531 - b64f8a4b 0d53f63f}, nego = 0
May 24 20:26:46 ike_free_negotiation_qm: Start, nego = 0
May 24 20:26:46 ike_free_negotiation: Start, nego = 0
May 24 20:26:46 ike_free_id_payload: Start, id type = 1
May 24 20:26:46 ike_free_id_payload: Start, id type = 4
May 24 20:26:46 IPSec negotiation failed for SA-CFG ipsec-vpn-BANK for local:212.156.x.x, remote:46.234.x.x IKEv1. status: Timed out
May 24 20:26:46 P2 ed info: flags 0x82, P2 error: Error ok
May 24 20:26:46 iked_pm_ipsec_sa_done: Phase2 failed 1/3 times for P1 SA 2369633
May 24 20:26:46 IKEv1 Error : Timeout
May 24 20:26:46 IPSec Rekey for SPI 0x0 failed
May 24 20:26:46 IPSec SA done callback called for sa-cfg ipsec-vpn-BANK local:212.156.x.x, remote:46.234.x.x IKEv1 with status Timed out
May 24 20:26:46 iked_pm_ike_spd_notify_request: Sending Initial contact

Super Contributor
Red1
Posts: 254
Registered: ‎05-26-2009
0

Re: SRX to ASA VPN Dropout

Hi Staya,

 

enabling ike under host-inbound-traffic system-services of the external interface is mondatory step when configuring VPN , if it is not defined , the IPSEC Phase 1 will never establish.

 

Regards

Red1


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIP-SEC, JNCIS- ( FWV, SA, AC )

Super Contributor
Red1
Posts: 254
Registered: ‎05-26-2009
0

Re: SRX to ASA VPN Dropout

Dears , 

 

I faced this kind of issue when establishing IPSEC VPN between PIX and Netscreen firewalls 7 years ago , so the only solution that saved me it to use manual keys , it is not recommended for security reasons , but you can test it to make sure that the problem is due to interoperability issue or something else.

 

Regards

Red1


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIP-SEC, JNCIS- ( FWV, SA, AC )

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.