Screen OS

Hi Guys,

I am having a problem with a site-to-site VPN to one of our peers using a Cisco Router (7206).

We are able to get through both Phase 1 and Phase 2 negotiations without any problem. However, the VPN goes down every after a minute and 30 seconds.

Any idea what causes this?

The NS details are as follows:

NS-500

5.4.0r8.0 (Firewall+VPN)

Griever,

The following KB should help you: KB9488 - How to troubleshoot a VPN tunnel that is going up and down.

FYI, for future issues, it's referenced from the VPN Configuration & Troubleshooting Guide.

Let us know how it goes.

Josine

Hi Josine,

The flow chart was of great help. I did turn off the VPN monitoring and the VPN came up. Based from the documentations I read VPN monitoring is basically a keepalive that will monitor status of VPN, since CISCO is not replying to VPN monitoring keep-alive, Netscreen sees the VPN as "DOWN" thus terminating the VPN.

Cheers!

griever

Griever,

Glad to hear it helped!

If you do want to use VPN Monitor, we find people frequently follow this KB when the remote side is a Cisco:

KB9503 - Configuring the Source Interface and Destination IP options of VPN Monitor

For the Destination IP, specify a internal host at the Cisco's site that will respond to ICMP echo requests (pings).

First experiment with PING from the firewall, i.e. just enter ping, and then follow the prompts, specifying the target (i.e. the internal remote host), and specifying one of your interfaces that the remote host knows how to get back to.  Once you have a successful ping working, use those fields in KB9503.

Regards,

Josine 

Thanks again! I'll look into this document.

Cheers!

-Griever