Screen OS

We changed internal IP range of our network and now NS remote does not work.  we have tried changing the IP Pool to match our new range and also changed the IP subnet on the user setup.  the virtual connection will connect but it disconnects. 

 

the firewall logs the error Rejected an IKE packet on ethernet3 from 216.135.57.170:4500 to XXX.XXX.XXX.XXX:4500 with cookies 0cc6ebabeadde4bf and 376e5480823ab1a3 because the VPN does not have an application SA configured.

 

any ideas??

#ip
#remote
#change
#netscreen
#range

Did you check that the policy has the right subnets configured?

when i look under policies i do not find one that refers to remote users.  the funny thing is if we change the subnet on the client install back to the old subnet it will connect but does not pass data.

hmm, I think it could be a policy problem or a vpn problem.

Could you post some configs or logs so we can see?

 

get conf | i ike

get conf | i vpn

get event (relevant to the error)

get sa

 

If you can also try to run "debug flow basic" for not passing traffic problem and "debug ike detail" for vpn problem.

i have changed all usernames and addresses to generic text.  what should i use to get the event? 

 

ns25-> get conf | i ike

set user "Username" ike-id u-fqdn " User@Domain.com " share-limit 1

set user "Username" type  ike xauth

set user "Username" ike-id u-fqdn "User@Domain.com" share-limit 1

set user "Username" type  ike xauth

set user "Username" ike-id u-fqdn " User@Domain.com" share-limit 1

set user "Username" type  ike xauth

set user "Username" ike-id u-fqdn " User@Domain.com " share-limit 1

set user "Username" type  ike xauth

set user "Username" ike-id u-fqdn " User@Domain.com " share-limit 1

set user "Username" type  ike xauth

set user "Username" ike-id u-fqdn " User@Domain.com " share-limit 1

set user "Username" type  ike xauth

set ike gateway "RemoteUserVPNGateway" dialup "VPN_User" Aggr outgoing-interface

 "ethernet3" preshare "hXaCOzF3NrmjXQsb9PCur02/MMnf4gJE6A==" proposal "pre-g2-3d

es-md5"

unset ike gateway "RemoteUserVPNGateway" nat-traversal udp-checksum

set ike gateway "RemoteUserVPNGateway" nat-traversal keepalive-frequency 5

set ike gateway "RemoteUserVPNGateway" xauth server "Local" user-group "VPN_User

"

unset ike gateway "RemoteUserVPNGateway" xauth do-edipi-auth

set ike respond-bad-spi 1

unset ike ikeid-enumeration

set vpn "RemoteVPN_UserIKE" gateway "RemoteUserVPNGateway" no-replay tunnel idle

time 0 proposal "g2-esp-3des-md5"

set vpn "RemoteVPN_UserIKE" monitor

set vpn "RemoteVPN_UserIKE" id 4 bind interface tunnel.1

set vpn "RemoteVPN_UserIKE" proxy-id local-ip 192.168.0.0/22 remote-ip 255.255.2

55.255/32 "ANY"

ns25-> get conf | i vpn

set service "NHK INT VPN PORTS" protocol udp src-port 0-65535 dst-port 500-500

set service "NHK INT VPN PORTS" + udp src-port 0-65535 dst-port 4500-4500

set service "NHK INT VPN PORTS" + tcp src-port 0-65535 dst-port 50-50

set service "NHK INT VPN PORTS" + udp src-port 0-65535 dst-port 51-51

set service "NHK INT VPN PORTS" + tcp src-port 0-65535 dst-port 51-51

set service "NHK INT VPN PORTS" + udp src-port 0-65535 dst-port 50-50

set service "NHK INT VPN PORTS 2" protocol tcp src-port 0-65535 dst-port 4100-41

00

set service "NHK INT VPN PORTS 2" + tcp src-port 0-65535 dst-port 443-443

set address "Untrust" "NHK Int. VPN Access" 65.119.174.38 255.255.255.255 "Used

by NHK Int. employees"

set address "Untrust" "NHK Int. VPN Access 2" 65.119.174.34 255.255.255.255 "Use

d by NHK Int. employees "

set ippool "RemoteVPNClient" 10.25.5.1 10.25.5.254

set user-group "VPN_User" id 6

set user-group "VPN_User" user "Username"

set user-group "VPN_User" user " Username "

set user-group "VPN_User" user " Username "

set user-group "VPN_User" user " Username "

set user-group "VPN_User" user " Username "

set ike gateway "RemoteUserVPNGateway" dialup "VPN_User" Aggr outgoing-interface

 "ethernet3" preshare "hXaCOzF3NrmjXQsb9PCur02/MMnf4gJE6A==" proposal "pre-g2-3d

es-md5"

unset ike gateway "RemoteUserVPNGateway" nat-traversal udp-checksum

set ike gateway "RemoteUserVPNGateway" nat-traversal keepalive-frequency 5

set ike gateway "RemoteUserVPNGateway" xauth server "Local" user-group "VPN_User

"

unset ike gateway "RemoteUserVPNGateway" xauth do-edipi-auth

set xauth default ippool "RemoteVPNClient"

set vpn "RemoteVPN_UserIKE" gateway "RemoteUserVPNGateway" no-replay tunnel idle

time 0 proposal "g2-esp-3des-md5"

set vpn "RemoteVPN_UserIKE" monitor

set vpn "RemoteVPN_UserIKE" id 4 bind interface tunnel.1

set vpn "RemoteVPN_UserIKE" proxy-id local-ip 192.168.0.0/22 remote-ip 255.255.2

55.255/32 "ANY"

set policy id 20 name "NHK Int VPN Access Policy" from "Trust" to "Untrust"  "In

ternal Network" "NHK Int. VPN Access" "NHK INT VPN PORTS" nat src permit log

set policy id 24 name "NHK Int. VPN Access 2" from "Trust" to "Untrust"  "Intern

al Network" "NHK Int. VPN Access 2" "NHK INT VPN PORTS 2" nat src permit log

ns25-> get sa

total configured sa: 1

HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys

00000004<         0.0.0.0  500 esp:3des/md5  00000000 expir unlim I/I    -1 0

00000004>         0.0.0.0  500 esp:3des/md5  00000000 expir unlim I/I    -1 0

you would need to run "get event" from the CLI.

 

Looking at the config, you may be using route-based vpn for the dial-up?

 

I don't see the vpn tied to any policy so I am assuming you are using routes. Can you run"get conf | i tunnel" ?

 

Also, looking at the proxy ID:

set vpn "RemoteVPN_UserIKE" proxy-id local-ip 192.168.0.0/22 remote-ip 255.255.2

55.255/32 "ANY"

 

You may need to check that as from the NSR, that will be defined by which subnet you want to access.

 

In any case, if you have a problem with the proxy, you should see that err most likely in the event log (via "get event") as well.

 

Thanks

here is the log event entries from the Firewall during one of the times we have tried to connect. 

 

IKE<216.135.57.170> Phase 2 msg ID <1c8a17ad>: Negotiations have failed. 2009-04-13 16:16:08 info Rejected an IKE packet on ethernet3 from 216.135.57.170:4500 to 12.180.248.100:4500 with cookies 0cc6ebabeadde4bf and 376e5480823ab1a3 because the VPN does not have an application SA configured. 2009-04-13 16:16:08 info IKE<216.135.57.170> Phase 2: No policy exists for the proxy ID received: local ID (<10.25.0.0>/<255.255.252.0>, <0>, <0>) remote ID (<10.25.5.1>/<255.255.255.255>, <0>, <0>). 2009-04-13 16:16:08 info IKE<216.135.57.170> Phase 2 msg ID <1c8a17ad>: Responded to the peer's first message. 2009-04-13 16:15:58 alert IP spoofing! From 192.168.10.250:1204 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times. 2009-04-13 16:15:55 alert IP spoofing! From 192.168.10.250:1204 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times. 2009-04-13 16:15:53 info IKE<216.135.57.170> Phase 2 msg ID <1c8a17ad>: Negotiations have failed. 2009-04-13 16:15:53 info Rejected an IKE packet on ethernet3 from 216.135.57.170:4500 to 12.180.248.100:4500 with cookies 0cc6ebabeadde4bf and 376e5480823ab1a3 because the VPN does not have an application SA configured. 2009-04-13 16:15:53 info IKE<216.135.57.170> Phase 2: No policy exists for the proxy ID received: local ID (<10.25.0.0>/<255.255.252.0>, <0>, <0>) remote ID (<10.25.5.1>/<255.255.255.255>, <0>, <0>). 2009-04-13 16:15:53 info IKE<216.135.57.170> Phase 2 msg ID <1c8a17ad>: Responded to the peer's first message. 2009-04-13 16:15:53 info IKE<216.135.57.170>: XAuth login was passed for gateway <RemoteUserVPNGateway>, username <BrandonHay>, retry: 0, Client IP Addr<10.25.5.1>, IPPool name:<RemoteVPNClient>, Session-Timeout:<0s>, Idle-Timeout:<0s>. 2009-04-13 16:15:52 alert IP spoofing! From 192.168.10.250:1204 to 239.255.255.250:1900, proto UDP (zone Trust, int ethernet1). Occurred 1 times. 2009-04-13 16:15:38 info IKE<216.135.57.170>: Received initial contact notification and removed Phase 1 SAs. 2009-04-13 16:15:38 info IKE<216.135.57.170> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime. 2009-04-13 16:15:38 info IKE<216.135.57.170> Phase 1: Completed for user <TomNunn>. 2009-04-13 16:15:38 info IKE<216.135.57.170>: Received initial contact notification and removed Phase 2 SAs. 2009-04-13 16:15:38 info IKE<216.135.57.170>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>. 2009-04-13 16:15:38 info IKE<216.135.57.170>: Received a notification message for DOI <1> <24577> <REPLAY-STATUS>. 2009-04-13 16:15:38 info IKE<216.135.57.170> Phase 1: IKE responder has detected NAT in front of the remote device. 2009-04-13 16:15:38 info IKE<216.135.57.170> Phase 1: Responder starts AGGRESSIVE mode negotiations.

I think for sure there is a proxy ID issue:

No policy exists for the proxy ID received: local ID (<10.25.0.0>/<255.255.252.0>, <0>, <0> remote ID (<10.25.5.1>/<255.255.255.255>, <0>, <0>.

 

The proxy ID you have setup on the FW is :

set vpn "RemoteVPN_UserIKE" proxy-id local-ip 192.168.0.0/22 remote-ip 255.255.2

55.255/32 "ANY"

 

You should have it configured to be:

set vpn "RemoteVPN_UserIKE" proxy-id local-ip 10.25.5.1/32 remote-ip 10.25.0.0/22 "ANY"

 

Also, are you using policy based vpn? if you are then you are still missing the vpn policies which should look something like this:

set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "Trust-LAN" "ANY" tunnel vpn "vpn-name" id 2 pair-policy 3 log  etc...

 

 

 

yes that worked.  changing the addresses in the Remote IKE did the trick.