ASA to Netscreen L2L ?

Unanswered Question
Jun 25th, 2007

I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper Netscreen Firewall. I can't find any recent documentation regarding this setup. I'm receiving some error messages from the ASDM which are below:


4 Jun 25 2007 14:32:54 713903 Group = 2.2.155.253, IP = 2.2.155.253, Freeing previously allocated memory for authorization-dn-attributes

3 Jun 25 2007 14:32:54 713119 Group = 2.2.155.253, IP = 2.2.155.253, PHASE 1 COMPLETED

3 Jun 25 2007 14:32:54 713122 IP = 2.2.155.253, Keep-alives configured on but peer does not support keep-alives (type = None)

5 Jun 25 2007 14:32:54 713904 Group = 2.2.155.253, IP = 2.2.155.253, All IPSec SA proposals found unacceptable!

3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, QM FSM error (P2 struct &0x4274390, mess id 0x10055b4)!

3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, Removing peer from correlator table failed, no match!


The VPN config is provided. Anything stand out? or anyone else get this to work? Any comments welcome.



Chris Serafin

[email protected]



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bob.bartlett Mon, 06/25/2007 - 12:37

Are you sure that the IPSEC configuration on both devices are matching perfectly? Your Phase 1 Completed implies that your ISAKMP tunnel is created so that moves you past the ISAKMP and it says that your IPSEC Proposal is bad so on your ASA you have it set up for ESP-3DES ESP-MD5-HMAC also you have PFS Group 2 on make sure you have that set up on your NetScreen

Jon Marshall Tue, 06/26/2007 - 03:02

Hi


I think Bob is correct. In addtion could you check your lieftimes on your Phase 2 as well.


It may also be worth temporarily turning off pfs as i have seen issues with this and other 3rd party firewalls.


HTH


Jon

Actions

This Discussion