SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Posts: 103
Registered: ‎09-21-2010
0 Kudos


To all

there is one weird problem i facing when remote end ASA intiate  VPN my VPN establish and if i try to initiate VPN it doesnt

what would be the reason can any1 knw that its site to site VPN






Posts: 90
Registered: ‎11-10-2010
0 Kudos


You should enable ike trace and also check on the asa what are the error messages related to this vpn tunnel. can you post the output of "show security ike security-associations" and "show security ipsec security-associations" when tunnel is established and when tunnel doesn't come up ? can you also post your asa vpn config and srx vpn config ?
Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos


This is because Cisco ASAs are less tolerant of mismatched proxy IDs than Juniper boxes are.


Juniper boxes will accept a proxy ID that is a match, or a superset of a match.  Cisco boxes will only accept an exact match.


So, if you have a proxy ID on your Juniper side of and the Cisco side is, then if the Cisco side initiates that tunnel your Juniper will accept that and build the SA. If the Juniper tries to initiate, the Cisco will deny it because it's not an exact match.


You need to make sure your proxy IDs are carefully set on both ends. Cisco devices build their proxy IDs using their ACL entires, so, for policy-based VPN on your Juniper, that means building a separate policy (or pair of policies, for bi-directional VPNs) to exactly match each line of the ACL entries on the ASA side.


If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.