Screen OS

Hello,

I am able to create GRE tunnel between two SSG's but I cannot get it working with 3rd party device (Cisco).  Is there any limitations about zones when connecting 3rd party devices? Does it have to be in untrust zone? I have found couple of discussions where they says that connecting SSG and Cisco is no brainer to do but I can't find the problem.

Can one tell is there any best practices or configurations, for example to MTU's and so on. Now I'm trying to end tunnel on the same subinterface where is already ended another tunnel between second SSG. Is that possible?

On Cisco side I have restricted MTU to 1400 and used ip tcs adjust-mss 1360

On Juniper side I used just MTU 1400.(On Cisco side tunnel interface still after configuration says that mtu is 1476, but in sh ip int tun x it says correct mu.)

I also tried with and without keepalives and tunnel keys on both ends

On Cisco side tunnel is in VRF, but I was able to get tunnel inside correct? vrf specific routing table.

Did try search, but I was not able to find any best practices or solution to my problem.

Thanks in advance!

- JeiJei

The tunnel interface has to be in the same zone as the interface GRE is bound to.  The settings on the SSG are going to be the same for both situations.  One thing to keep in mind is that you might have a different IP address for GRE than IPSec on the Cisco side.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB6126

Thanks for the reply rseibert. Configuration between these devices was actually walk in a park after my colleague found one wrongly added ip address. I have not tested yet is there any better mtu sizes.

Anyway, rseiberts comment is valid though. I also tried first to put tunnel on wrong zone...

BR, JeiJei