VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)

champom · ‎05-26-2008

Hello.

sorry since I cannot speak native English, when wrong.

I have set up VPN in the aggressive mode in the following environments.

Although both have fixed IP, since IP by which the exit of traffic may change by ISP load balancer,

and NAT is carried out in that case changes, it constitutes in the aggressive mode purposely.

（NAT-T is enable at both of devices.）

Note::

ISP which the traffic of VPN passes is being fixed fundamentally,

and only when an obstacle occurs in ISP of one of the two,

traffic changes to ISP of another side.

　SSG5(HA) --- ISP LoadBalancer --- Internet --- NS25

*SSG5 = ScreenOS 5.4.0r9 NS25 = ScreenOS 4.0.3r4

When an obstacle occurs in one ISP, fail over of the VPN is carried out normally（VPN established）,

but the obstacle of ISP is restored, and VPN is not established when ISP load balancer returns the traffic of VPN to original ISP again.

But VPN is connectable if ssg is rebooted.

The event log is as follows.

system info 00536 IKE<X.X.X.X> Phase 1: Retransmission limit has been reached.
system info 00536 IKE<X.X.X.X> >> <X.X.X.X> Phase 1: Initiated negotiations in aggressive mode.

anyone help me.

Message Edited by champom on 05-26-2008 09:02 PM

Kashif-rana · ‎01-29-2008

Hi,

Please post the routing table on firewalls. May be u r not using VPN monitor and rekey feature in VPN configuration.

Thanks

Kashif Rana
00971555962393
JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

champom · ‎05-26-2008

Hi.

VPN monitor and rekey feature is already set to enable by both of devices.

The routing table is as follows.（10.220.121.131 is ISP Load Balancer）

vrouter (untrust-vr)
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 3 0.0.0.0/0 eth0/0 10.220.121.131 S 20 1 Root
* 2 10.220.121.134/32 eth0/0 0.0.0.0 H 0 0 Root
* 1 10.220.121.0/24 eth0/0 0.0.0.0 C 0 0 Root
* 4 192.168.0.0/16 n/a trust-vr S 20 1 Root
* 6 172.16.0.0/12 n/a trust-vr S 20 1 Root
* 5 10.0.0.0/8 n/a trust-vr S 20 1 Root

vrouter (trust-vr)
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------
* 15 0.0.0.0/0 n/a untrust-vr S 20 1 Root
* 14 172.16.0.0/24 null 0.0.0.0 S 255 65535 Root
11 172.16.0.0/24 tun.2 0.0.0.0 S 20 1 Root
* 12 192.168.220.0/24 null 0.0.0.0 S 255 65535 Root
9 192.168.220.0/24 tun.1 0.0.0.0 S 20 1 Root
* 13 10.144.1.0/24 null 0.0.0.0 S 255 65535 Root
10 10.144.1.0/24 tun.2 0.0.0.0 S 20 1 Root
* 2 192.168.30.254/32 eth0/1 0.0.0.0 H 0 0 Root
* 1 192.168.30.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 4 192.168.50.254/32 eth0/2 0.0.0.0 H 0 0 Root
* 5 192.168.51.0/24 eth0/2.1 0.0.0.0 C 0 0 Root
* 3 192.168.50.0/24 eth0/2 0.0.0.0 C 0 0 Root
* 6 192.168.51.254/32 eth0/2.1 0.0.0.0 H 0 0 Root
* 8 192.168.40.254/32 eth0/2.40 0.0.0.0 H 0 0 Root
* 7 192.168.40.0/24 eth0/2.40 0.0.0.0 C 0 0 Root

SSG5 configuration is as follows.

set ike gateway "XXX_iDC-P1" address 1.1.1.1 Aggr local-id "XXX-idc@example.com" outgoing-interface "ethernet0/0" preshare "preshare-key" proposal "pre-g2-3des-sha"
set ike gateway "XXX_iDC-P1" nat-traversal
unset ike gateway "XXX_iDC-P1" nat-traversal udp-checksum
set ike gateway "XXX_iDC-P1" nat-traversal keepalive-frequency 5
set ike responder-set-commit
set ike initiator-set-commit
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "XXX_iDC-P2" gateway "XXX_iDC-P1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "XXX_iDC-P2" monitor rekey
set vpn "XXX_iDC-P2" id 3 bind interface tunnel.2
set vpn "XXX_iDC-P2" proxy-id local-ip 192.168.50.0/24 remote-ip 10.144.1.0/24 "ANY"

Kashif-rana · ‎01-29-2008

When u reboot the SSG then u mean IPSEC negotiation on primary link starts but IPSEC tunnle is not established??

Kashif Rana
00971555962393
JNCIE-SP#1428,JNCIE-SEC#55,JNCIP(SP,ENT,SEC),JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

champom · ‎05-26-2008

1.The usual state

VPN packets (UDP500/4500) passes Primary WAN Link[NAT'd Primary WAN IP]

Site-to-Site VPN is up(established)

ssg(NAT:2.2.2.2) ------ NS25(1.1.1.1)

2.When the Primary WAN Link is Down

VPN packets (UDP500/4500) passes secondary WAN Link[NAT'd Secondary WAN IP]

Site-to-Site VPN is down --> After about 1 minute　--> Site-to-Site VPN is up(established) * Auto-Failover

ssg(NAT:3.3.3.3) ------ NS25(1.1.1.1)

3.When the Primary WAN Link is UP(Recovery)

VPN packets (UDP500/4500) passes Primary WAN Link

Site-to-Site VPN is down　Then, VPN does not establish after 2-hour or more progress.

However, VPN was established when SSG was rebooted.

ssg(NAT:2.2.2.2) ------ NS25(1.1.1.1)

I want to realize all automatic VPN fail over(without Reboot)

Message Edited by champom on 05-27-2008 04:45 PM

Hedia · ‎05-28-2008

Hello,

I faced the same problem but I was able to solve it !

Environment : Netscreen (205 at the Hub and 5GT at the branch), Radware Loadbalancer.

The load balancer is configured as the DNS server.

The NS5GT is pointing (tunnel endpoint) to the DNS hostname (not the IP) of the remote firewall. When the radware receives the DNS request, it replies to it.

The TTL of the DNS is set to 1 minute (in order to avoid caching).

The following parameters are required :

NAT-T

Aggressive mode.

The most important (depending of the load balancer box you are using) is the IKE Heartbeat.

This value must set to a higher value (for example 60 seconds) than the flow connection entry configured on the loadbalancer (example 45 seconds).

Hope it can help you

Regards,

VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)

Re: VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)

Re: VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)

Re: VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)

Re: VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)

Re: VPN re-failover issue - Can't established Phase1 (SSG5 Aggressive mode)