SRX

Hi Guys,

Firstly sorry if this problem has asked before.But could not found anywhere.I'm trying to S2S VPN for Cisco ASA.In log i see INVALID COOKIE.What does it mean for connection?I've been trying to solve this 2 days.Any help appreciated.

Regards

"

Jul 17 14:55:31 ssh_ike_connect: Start, remote_name = 1.1.1.1:500, xchg = 2, flags = 00090000
Jul 17 14:55:31 ike_init_isakmp_sa: Start, remote = 1.1.1.1:500, initiator = 1
Jul 17 14:55:31 ike_send_packet: Start, send SA = { c6d2d864 027c5e3f - 00000000 00000000}, nego = -1, dst = 1.1.1.1:500, routing table id = 0
Jul 17 14:55:31 ike_get_sa: Start, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 00000000, remote = 1.1.1.1:500
Jul 17 14:55:31 ike_send_packet: Start, send SA = { c6d2d864 027c5e3f - a03b47c8 5695f702}, nego = -1, dst = 1.1.1.1:500, routing table id = 0
Jul 17 14:55:31 ike_get_sa: Start, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 00000000, remote = 1.1.1.1:500
Jul 17 14:55:31 ike_find_pre_shared_key: Find pre shared key key for 2.2.2.2:500, id = ipv4(any:0,[0..3]=2.2.2.2) -> 1.1.1.1:500, id = No Id
Jul 17 14:55:31 ike_send_packet: Start, send SA = { c6d2d864 027c5e3f - a03b47c8 5695f702}, nego = -1, dst = 1.1.1.1:4500, routing table id = 0
Jul 17 14:55:31 ike_get_sa: Start, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 00000000, remote = 1.1.1.1:4500
Jul 17 14:55:31 2.2.2.2:4500 (Initiator) <-> 1.1.1.1:4500 { c6d2d864 027c5e3f - a03b47c8 5695f702 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = 3des-cbc, hash = md5, prf = hmac-md5, life = 0 kB / 86400 sec, key
Jul 17 14:55:31 iked_pm_ike_sa_done: local:2.2.2.2, remote:1.1.1.1 IKEv1
Jul 17 14:55:31 Construction NHTB payload for local:2.2.2.2, remote:1.1.1.1 IKEv1 P1 SA index 7280781 sa-cfg viva-prod-s2s-vpn
Jul 17 14:55:31 ike_send_packet: Start, send SA = { c6d2d864 027c5e3f - a03b47c8 5695f702}, nego = 0, dst = 1.1.1.1:4500, routing table id = 0
Jul 17 14:55:31 ike_send_packet: Start, send SA = { c6d2d864 027c5e3f - a03b47c8 5695f702}, nego = 1, dst = 1.1.1.1:4500, routing table id = 0
Jul 17 14:55:31 IKE SA delete called for p1 sa 7280781 (ref cnt 2) local:2.2.2.2, remote:1.1.1.1, IKEv1
Jul 17 14:55:32 ike_get_sa: Start, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 85d8bc35, remote = 1.1.1.1:4500
Jul 17 14:55:32 ike_get_sa: Invalid cookie, no sa found, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 85d8bc35, remote = 1.1.1.1:4500
Jul 17 14:55:32 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:4500
Jul 17 14:55:32 ike_get_sa: Start, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 7453c9c4, remote = 1.1.1.1:4500
Jul 17 14:55:32 ike_get_sa: Invalid cookie, no sa found, SA = { c6d2d864 027c5e3f - a03b47c8 5695f702 } / 7453c9c4, remote = 1.1.1.1:4500
Jul 17 14:55:32 unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 1.1.1.1:4500""

Hi Ronnietheengineer,

Logs given by you does not help in identifying the issue.

Phase1 is not coming up.

Looks like there is a NAT device inbetween.

When there is an Nat device inbetween , then IKE Validation will fail.

Configure the following line to bypass ike -id validation.

set security ike gatewaty gatewayname general-ikid

Check if it works.

Ensure that there are no packet drops for IKE along the path,

On the SRX , from the CLI mode , try show route x.x.x.x

x,x,x,x is peer cisco vpn address.

Route should show an interface ip address and that interface must be configured on the SRX VPN Gateway configuration.

if all these are configured and still if it is not coming up, then please share Either complete trace
 using request security ike debug-enable local local-ip remote remote-ip level 12  from CLI prompt or capture the packets on the external interface and share the pcap file.

or you can followng CLI command " monitor traffic interface interfacename no-resolve extensive matching udp "

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too