We have setup a network to network VPN between a pix501 and a Netscreen NS-500. This was a working configuration with an access rule that allowed only a single tcp port.
Recently we wanted have an other port open so on both sides a rule was added to allow the extra port. Now whatever we do we are never able to establish the VPN.
Looking at the pix501 logs it always fails in phase 2. Here some log fragment:
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xb3707fc5
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0xb3707fc5
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0xb3707fc5
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0xb3707fc5
Here some configuration from the pix:
object-group service Matiptelnet tcp
port-object eq telnet
port-object eq 7500
access-list outside_cryptomap_20 permit tcp somenattednet 255.255.255.240 host somehost object-group Matiptelnet
Any idear what could be wrong ?