06-25-2007 12:19 PM
I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper Netscreen Firewall. I can't find any recent documentation regarding this setup. I'm receiving some error messages from the ASDM which are below:
4 Jun 25 2007 14:32:54 713903 Group = 2.2.155.253, IP = 2.2.155.253, Freeing previously allocated memory for authorization-dn-attributes
3 Jun 25 2007 14:32:54 713119 Group = 2.2.155.253, IP = 2.2.155.253, PHASE 1 COMPLETED
3 Jun 25 2007 14:32:54 713122 IP = 2.2.155.253, Keep-alives configured on but peer does not support keep-alives (type = None)
5 Jun 25 2007 14:32:54 713904 Group = 2.2.155.253, IP = 2.2.155.253, All IPSec SA proposals found unacceptable!
3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, QM FSM error (P2 struct &0x4274390, mess id 0x10055b4)!
3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, Removing peer from correlator table failed, no match!
The VPN config is provided. Anything stand out? or anyone else get this to work? Any comments welcome.
Chris Serafin
06-25-2007 12:37 PM
Are you sure that the IPSEC configuration on both devices are matching perfectly? Your Phase 1 Completed implies that your ISAKMP tunnel is created so that moves you past the ISAKMP and it says that your IPSEC Proposal is bad so on your ASA you have it set up for ESP-3DES ESP-MD5-HMAC also you have PFS Group 2 on make sure you have that set up on your NetScreen
06-26-2007 03:02 AM
Hi
I think Bob is correct. In addtion could you check your lieftimes on your Phase 2 as well.
It may also be worth temporarily turning off pfs as i have seen issues with this and other 3rd party firewalls.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide