PIX to Netscreen VPN fails often

softwareadmin · ‎09-17-2009

I'm running into an issue with a L2L VPN we have between one of our remote sites. At times one of the many networks there will stop passing traffic across the tunnel. Other networks at this location will continue to traverse the tunnel just fine when this issue crops up. My location has a PIX 515e w/ 6.3(5) and the remote site has NetScreen ISG 2000 w/ 6.1r5. I see a lot of the below errors when this issue is occuring.

IPSEC(cipher_ipsec_request): decap failed for <remote peer ip> -> <local peer ip>

IPSEC(sw_esp_decap): fail antireplay check

IPSEC(cipher_ipsec_request): decap failed for <remote peer ip> -> <local peer ip>

IPSEC(sw_esp_decap): fail antireplay check

IPSEC(cipher_ipsec_request): decap failed for <remote peer ip> -> <local peer ip>

IPSEC(sw_esp_decap): fail antireplay check

I'm sure it's not an antireplay attack, but not sure what is triggering this condition. On the Juniper side, I do not have the antireplay feature enabled, is it possible to disable antireplay checking on the PIX?

Any thoughts/recommendation welcome.

TIA

bapatsubodh · ‎09-21-2009

hi,

We faced similar ( not exactly like you )problem while Site-to-Site VPN over internt.

Please try follwoing

1. Decide lifetime and use keep alives on the tunnel

2. check out if Cache of the device is creating any problem. clear the cache when problem arives of all devices , switches, routers, firewalls. This can help to send the traffic to correct device, just in case if it is going to the device where there is no next hop decided.

It worked for us and even may work for you !! No exact reason for this.

Hope this helps.

Rate if possibele.

Subodh