L2L VPN with PIX525 and Juniper

Unanswered Question
Jan 7th, 2009
User Badges:

Hi,


My PIX525 firewall is configured for S2S (already 3 more S2S vpn is configured) with Juniper firewall at the other end.


The problem I'm now facing is that although the tunnel is getting up but no traffic can pass between end-to-end.


When I gave sh crypto ipsec sa I could see following


pixfirewall(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: dyngroup, seq num: 30, local addr: 212.77.203.226


local ident (addr/mask/prot/port): (FIX_CLNT_TST1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.36.2/255.255.255.255/0/0)

current_peer: 86.51.9.254


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 247, #pkts decrypt: 247, #pkts verify: 247

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 228


Can anyone advise me why I'm not able to ping/access the other side of the lan (Juniper firewall side) also I want to make sure whether there's anything wrong in myside (my configuration).


Thanks in advance.


For ready reference I have attached the VPN configuration in my PIX firewall.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Fri, 01/09/2009 - 11:46
User Badges:
  • Cisco Employee,

Hi, As you can see on the show crypto output:


Crypto map tag: dyngroup,


The matched crypto map is a dynamic map, which I assume due to the name. The uploaded configuration shows that this should be using a static crypto map rather than this dynamic.


What happens here is that the SA offer that juniper sends does not match to what the PIX has configured, on your configuration you have the match address using TCP ports (which is not supported by CISCO) but the SA created is using port 0:


local ident (addr/mask/prot/port): (FIX_CLNT_TST1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.36.2/255.255.255.255/0/0)


Which means that the offering is done with protocol IP (0) rather than TCP (6)


You need to change the match address on your Pix to match IP rather than TCP.

pemasirid Wed, 01/14/2009 - 13:10
User Badges:

Hi Imartino,


Many thanks for your reply and regret for delay on response.


Yes, the 'sh crypto ipsec sa' output still show Crypto map tag as dyngroup which is configured for remote access VPN.


I changed the static crypto map name outside_map with seq 10 but still its shows the Crypto map tag as dyngroup with its seq no. (30).


I have changed the ACL with IP level rather than TCP but there was no luck. However customer doesnt want to allow IP level and only want to allow access to the particular port (4444 and 4445).


I could see only local indent pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52 only. (one side) with some error packts.


Please suggest a solution to resolve this issue. The sh crypto ipsec sa output is attached.


thanks in advance.




Attachment: 
balint.pal Thu, 01/15/2009 - 03:12
User Badges:

Hi,


is your FIX_CLNT_TST1 server in the nonat acl already?


Use the "sh xlate" for more infos.

Actions

This Discussion