ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

VPN between SSG320 and 5GT

01.29.08   |  
‎01-29-2008 04:01 PM
We have SSG320 in our Data Center and SSG 5GT in one of our remote sites.
We have 3 VPN's coming out of 5GT, two of them are going to NS 204 Devices.
One of them is going to SSG320.
One VPN going to one of the NS204 is working perfect.
Second VPN using tunnel.2 going to second NS204 is not very stable it goes up and down for some reason intermittently
But the third VPN via tunnel.5 to SSG320 is not coming up at all. I get SA up but Link shows down and I can't pass any traffic between the two sites. When I delete the VPN to SSG320 and recreate it, on both ends, it comes back up for like 60 seconds or so but it goes down again and I don't see any error messages either.

Any ideas?
Cheers
6 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: VPN between SSG320 and 5GT

01.30.08   |  
‎01-30-2008 08:33 AM
I'd tackle each VPN issue using the VPN Troubleshooting Guide below:
http://kb.juniper.net/KB9221

Let us know how it goes.
--Josine


Handy Reference too:
http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm
ScreenOS Firewalls (NOT SRX)

Re: VPN between SSG320 and 5GT

01.30.08   |  
‎01-30-2008 08:48 AM
Trust me I have tried it.
ScreenOS Firewalls (NOT SRX)

Re: VPN between SSG320 and 5GT

01.30.08   |  
‎01-30-2008 05:02 PM
It sounds like you are using VPN monitoring. What happens if you disable VPN monitoring on both peers? Does your tunnel remain stable? If so and you are able to pass traffic through the tunnel, then likely VPN monitoring is failing for some reason. You should confirm your VPN monitoring settings are correct and that the VPN monitoring target is pingable by the peer. If the tunnel is up but no traffic is passing, then confirm if ESP traffic is passing between the two peers. You may need to connect a sniffer on the untrust sides of both peers to determine if the ESP packet is leaving the firewall and that the ESP packet is being received at the other side. If you do not see that then you may have a device on the network that is blocking ESP traffic.
 
Good luck
 
-Richard
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: VPN between SSG320 and 5GT

02.03.08   |  
‎02-03-2008 08:27 AM
Same results no change.
ScreenOS Firewalls (NOT SRX)

Re: VPN between SSG320 and 5GT

02.04.08   |  
‎02-04-2008 04:27 PM
So did you try my other suggestion regarding sniffing your network to confirm that you are able to send and receive ESP traffic properly?
ScreenOS Firewalls (NOT SRX)

Re: VPN between SSG320 and 5GT

02.10.08   |  
‎02-10-2008 02:41 PM
No but I think I might know why this is happening. After testing that out I'll update this thread.