ScreenOS Firewalls (NOT SRX)
Reply
Contributor
mali
Posts: 145
Registered: ‎01-29-2008
0

VPN between SSG320 and 5GT

We have SSG320 in our Data Center and SSG 5GT in one of our remote sites.
We have 3 VPN's coming out of 5GT, two of them are going to NS 204 Devices.
One of them is going to SSG320.
One VPN going to one of the NS204 is working perfect.
Second VPN using tunnel.2 going to second NS204 is not very stable it goes up and down for some reason intermittently
But the third VPN via tunnel.5 to SSG320 is not coming up at all. I get SA up but Link shows down and I can't pass any traffic between the two sites. When I delete the VPN to SSG320 and recreate it, on both ends, it comes back up for like 60 seconds or so but it goes down again and I don't see any error messages either.

Any ideas?
Cheers
Recognized Expert
PentinProcessor
Posts: 258
Registered: ‎11-06-2007
0

Re: VPN between SSG320 and 5GT

I'd tackle each VPN issue using the VPN Troubleshooting Guide below:
http://kb.juniper.net/KB9221

Let us know how it goes.
--Josine


Handy Reference too:
http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm
Contributor
mali
Posts: 145
Registered: ‎01-29-2008
0

Re: VPN between SSG320 and 5GT

Trust me I have tried it.
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: VPN between SSG320 and 5GT

It sounds like you are using VPN monitoring. What happens if you disable VPN monitoring on both peers? Does your tunnel remain stable? If so and you are able to pass traffic through the tunnel, then likely VPN monitoring is failing for some reason. You should confirm your VPN monitoring settings are correct and that the VPN monitoring target is pingable by the peer. If the tunnel is up but no traffic is passing, then confirm if ESP traffic is passing between the two peers. You may need to connect a sniffer on the untrust sides of both peers to determine if the ESP packet is leaving the firewall and that the ESP packet is being received at the other side. If you do not see that then you may have a device on the network that is blocking ESP traffic.
 
Good luck
 
-Richard
Contributor
mali
Posts: 145
Registered: ‎01-29-2008
0

Re: VPN between SSG320 and 5GT

Same results no change.
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: VPN between SSG320 and 5GT

So did you try my other suggestion regarding sniffing your network to confirm that you are able to send and receive ESP traffic properly?
Contributor
mali
Posts: 145
Registered: ‎01-29-2008
0

Re: VPN between SSG320 and 5GT

No but I think I might know why this is happening. After testing that out I'll update this thread.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.