pix501 VPN to netscreen NS-500 problem

travsys100 · ‎11-21-2008

We have setup a network to network VPN between a pix501 and a Netscreen NS-500. This was a working configuration with an access rule that allowed only a single tcp port.

Recently we wanted have an other port open so on both sides a rule was added to allow the extra port. Now whatever we do we are never able to establish the VPN.

Looking at the pix501 logs it always fails in phase 2. Here some log fragment:

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xb3707fc5

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0xb3707fc5

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0xb3707fc5

ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0xb3707fc5

Here some configuration from the pix:

object-group service Matiptelnet tcp

port-object eq telnet

port-object eq 7500

access-list outside_cryptomap_20 permit tcp somenattednet 255.255.255.240 host somehost object-group Matiptelnet

Any idear what could be wrong ?

Lex

ariesc_33 · ‎11-26-2008

its a phase 2 policy mismatch. check the PFS on pix firewall, by default it is enabled while usually, it is disabled on other FW vendors.

please rate if it helps

travsys100 · ‎11-27-2008

Thanks for the suggestion, the PFS was already disabled, I tried to enable it but this made no difference.

Lex

ajagadee · ‎11-26-2008

Hi,

From the debug, it looks like a IPSEC ACL Mismatch issu. Check the crypto ACL on bot the Pix and Netscreen and make sure that they are mirror images of each other.

Regards,

Arul

*Pls rate if it helps*

travsys100 · ‎11-27-2008

Hi,

Unfortunately we don't have access to the netscreen config and have to rely on what their admin guy tells us. I only know we had a working link and after we added the extra port we never could get the link up. My suspicien is there is some kind of incompatability between the pix and the netscreen in this type of configuration.

Lex