Screen OS

Hi I have been trying to setup a VPN with MIP bettween ssg50 and ssg 5  because we have oerlaping subnets . Ihave folwed this KB article  

 http://kb.juniper.net/kb/documents/public/VPN/ScreenOS_VPN_with_Overlapping_Subnets.pdf

 and also  http://kb.juniper.net/kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0/IP-overlaps-NAT-PAT.htm

but I keep getting this error phase 1 retransmission  limit reach any help would be appreciated .I can post config  if it is helpfull

Check the ike gateway configuration .e.g

peer IP addresses

outgoing interfaces

preshare key

proposal

If still you have the same problem, perform below command on both firewalls 

debug ike detail               

cl db

<Wait until initiator tries again to connect>

get db str

Hi,

I tryed what you said evey thing looks okay when I did the debug I get failed to send phase 1  on the  SSG5  any ideas?

SSG5

  IKE<1.1.1.2> Send Phase 1 packet (len=192)
 IKE<1.1.1.2> Failed to send phase 1 192 bytes n=-10994!

SSG50

 Send Phase 1 packet (len=156)
## 2009-08-08 09:06:47 : IKE<2.2.2.2> re-trans timer expired, msg retry (1) (000
1/0)

thanks for the help

hi

check your route tabele , and check your route regarding your VPN 

thanks 

SSG50 doesnt have the correct route to reach 2.2.2.2

Please check the route for 2.2.2.2 by using the command " get route ip 2.2.2.2"

Also run the debug flow basic , you will the see the drop message in the debug.

IF you still not able to find the clue of the issue , please run the following debug :

1) set ff src-ip x.x.x.x

2) set ff dst-ip x.x.x.x

3) debug flow basic

4) debug ike detail

Send the ping traffic

5) Press "ESC" to turn off the debugs

6) get db s  ( paste the output)

Thanks

Atif