Help with a VPN tunnel between ASA 5510 and Juniper SSG20

Answered Question
Jul 4th, 2010

Hi,

We have a client who want to setup a Site-to-Site VPN tunnel between a new purchased ASA 5510 located in his branch office with his Juniper SSG20 located in the main office. We contacted HP and they send us a Cisco professional to do the job.

After 2 days from 4 PM to 10 PM of trial and error and countless hours of online search and nunerous calls, we are still unable to get the traffic from the branch network to go into the tunnel.


                          Branch                                 Main
                          1.1.1.2                                 1.1.1.1
                                -----                                               -----------
192.168.8.0/24    |ASA|-----------------------------------|Juniper|    192.168.1.0/24
                                -----                                               -----------
                         192.168.8.254                       192.168.1.254

According to the Cisco professional, the tunnel is now up however no traffic is going through. We are unable to ping anything on the other side's network (192.168.1.0/24). We are getting ping timeout all the time. The Cisco professional has told us that this is either a routing or NAT problem and that he is working on a solution!

Through search, I came across a post on Experts-Exchange (here) [The 1st comment on the original post] that states ".....that both sides of the VPN should have a different LAN  class for the VPN to work...." Could that be our problem??

This has become a critical problem to the point that we had to replace  the Cisco ASA with a temporary Juniper SSG5 on a different subnet (192.168.7.0/24) to get the tunnel up and traffic through till  the ASA VPN issue is solved and I do not need to say that the client is killing us!

Help is much appreciated.

Thank you

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 4 years 8 months ago

1. Yes, ping packet from the ASA private interface is considered interesting traffic towards the Juniper LAN.

From the ASA, you would need to source the traffic from the private interface of the ASA because the interesting traffic determine by crypto ACL MYLIST is between 192.168.8.0/24 and 192.168.1.0/24.

You would also need to add the following configuration to be able to source the ping from the ASA private interface:

management-access Private

To initiate ping from ASA private interface:

ping Private 192.168.1.254

2. The default timeout before the next rekey is normally 28800 seconds, and if there is no interesting traffic flowing between the 2 subnets, it will tear the VPN tunnel down. Once there is interesting traffic, the VPN tunnel will be automatically built until the next rekey. However, if there is traffic prior to rekey, the tunnel new SA will get established, and VPN tunnel will continue to stay up and will continue to encrypt and decrypt traffic.

Currently, your configuration has been set with SA lifetime of 3600 seconds OR/ 4608000 kilobytes of traffic before the next rekey (It will be either 3600 seconds or 4608000 kilobytes whichever expires first). You can definitely change it back to the default of 28800 seconds without the kilobytes configuration. The SA lifetime is negotiated between ASA and Juniper and whichever lowest value will be the one used.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Mon, 07/05/2010 - 02:08

Base on the diagram provided, both LANs are in different subnet (ie: ASA on 192.168.8.0/24 and Juniper on 192.168.1.0/24), so as far as unique LAN is concern, there is no problem.

Where is the tunnel failing at the moment?

Is phase 1 up? are you getting MM_ACTIVE when doing "show cry isa sa" on the ASA.

If phase 1 is up, what is the output of phase 2? Please share the output of "show cry ipsec sa" after you tried to ping from ASA LAN towards Juniper LAN or vice versa.

Further to that, if you tried ping test, please also make sure that "inspect icmp" is configured under the global_policy policy-map.

Please feel free to post the ASA config.

tinman_dubai Mon, 07/05/2010 - 04:15

Hi halijenn,

Thank you for your reply. I have tested the commands you provided and here is the result

xxxxxx# show cry ipsec sa

There are no ipsec sas
xxxxxx# show cry isa sa

There are no isakmp sas
xxxxxx#

The Cisco professional sent us an email this morning saying

The Tunnel was up an running and there was Encrypted and Decrypted traffic in the tunnel finally, however after the reboot and because the Internal interface (Private) seems disconnected from the inside network, the tunnel is down as there is no "Interresting traffic" to pass through.

At the moment the Cisco ASA 5510 internal  interface (Private) is not connected to anything but I would expect the tunnel  between the two firewalls ASA--Juniper to be up regardless,  am I correct? Because from the results above, I see no VPN tunnels. If I am not correct, then I will try again to connect a laptop to to the Cisco ASA 5510 internal  interface (Private) and try to ping the servers located behind the Juniper side of the VPN tunnel.

The ASA configuration which the Cisco professional did is as follow

: Saved
: Written by enable_15 at 09:33:47.141 UTC Sun Jul 4 2010
!
ASA Version 7.0(8)
!
hostname xxxxxx
domain-name xxxxxxxxxxxx.xxx
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Public
security-level 0
ip address 94.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif Private
security-level 5
ip address 192.168.8.250 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
management-only
!
ftp mode passive
object-group network inside-network
access-list Private_access_in extended permit ip any any
access-list Private_access_in extended permit icmp any any
access-list Private_access_out extended permit ip any any
access-list Private_access_out extended permit icmp any any
access-list Public_access_in extended permit ip any any
access-list Public_access_in extended permit icmp any any
access-list Public_access_out extended permit ip interface Public any
access-list Public_access_out extended permit icmp interface Public any
access-list MYLIST extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Public 1500
mtu Private 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat (Private) 0 access-list NONAT
access-group Private_access_in in interface Public
access-group Private_access_in out interface Public
access-group Private_access_in in interface Private
access-group Private_access_in out interface Private
route Public 192.168.1.0 255.255.255.0 83.xxx.xxx.xxx 1
route Public 0.0.0.0 0.0.0.0 94.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username test password xxxxxxxxxxxxxxxx encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MYMAP 10 match address MYLIST
crypto map MYMAP 10 set peer 83.xxx.xxx.xxx
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set security-association lifetime seconds 3600
crypto map MYMAP 10 set security-association lifetime kilobytes 4608000
crypto map MYMAP interface Public
isakmp identity address
isakmp enable Public
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 83.xxx.xxx.xxx type ipsec-l2l
tunnel-group 83.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 Public
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Public
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:b2f06f5261a80dad3fb4a5f93fa5e739

Your help is much appreciated.

Jennifer Halim Mon, 07/05/2010 - 04:24

The Cisco Proffesional is absolutely correct. The VPN tunnel will only be up if there is interesting traffic being triggered/sent across the tunnel. If the inside interface is disconnected, that will not trigger any interesting traffic, hence will not establish the VPN tunnel.

If the Cisco Professional is seeing traffic being encrypted and decrypted through the "show cry ipsec sa", that means the tunnel is up and running, and the reason why ping does not work is because icmp inspection has not been enabled.

Here is how to enable icmp inspection as per your config:

policy-map global_policy
   class inspection_default

     inspect icmp

I have also looked through the configuration, and they look correct.

tinman_dubai Mon, 07/05/2010 - 05:34

Hi halijenn,

Thank you again for your prompt response.

Regarding your reply, I was under the impression that this would  be a persistent tunnel. Can you please clarify my questions below?

1. Isn't a ping packet from the ASA to the Juniper considered as a  "interesting traffic"? or the whole thing is dependent up on the status  of the Private interface of the ASA?

2. Is there a way through which we can keep the tunnel up all the  time?

I am going there tomorrow and will connect my laptop to the ASA private interface and test pinging the other side.

Thank you

Correct Answer
Jennifer Halim Mon, 07/05/2010 - 05:47

1. Yes, ping packet from the ASA private interface is considered interesting traffic towards the Juniper LAN.

From the ASA, you would need to source the traffic from the private interface of the ASA because the interesting traffic determine by crypto ACL MYLIST is between 192.168.8.0/24 and 192.168.1.0/24.

You would also need to add the following configuration to be able to source the ping from the ASA private interface:

management-access Private

To initiate ping from ASA private interface:

ping Private 192.168.1.254

2. The default timeout before the next rekey is normally 28800 seconds, and if there is no interesting traffic flowing between the 2 subnets, it will tear the VPN tunnel down. Once there is interesting traffic, the VPN tunnel will be automatically built until the next rekey. However, if there is traffic prior to rekey, the tunnel new SA will get established, and VPN tunnel will continue to stay up and will continue to encrypt and decrypt traffic.

Currently, your configuration has been set with SA lifetime of 3600 seconds OR/ 4608000 kilobytes of traffic before the next rekey (It will be either 3600 seconds or 4608000 kilobytes whichever expires first). You can definitely change it back to the default of 28800 seconds without the kilobytes configuration. The SA lifetime is negotiated between ASA and Juniper and whichever lowest value will be the one used.

Hope that helps.

tinman_dubai Wed, 09/22/2010 - 23:47

I just want to add something that is Juniper related for anyone who wants to get a Cisco-Juniper tunnel up. On the Juniper firewall, disable the VPN tunnel monitoring for that tunnel other wise you will spend countless hours trying to figure out what is wrong.

Andrew Ward Thu, 09/23/2010 - 04:04

Hi, I may be off the mark here, but is there any firewalling between the Cisco and Juniper VPN devices? Just a thought that if UDP 500 was allowed you would see tunnel negotiation, but if IP protocol 50 was blocked you wouldn't be able to send any traffic. This is a quick post, so apologies if I have not understood the scenario in full.

Regards, Andy.

Actions

Login or Register to take actions

This Discussion

Posted July 4, 2010 at 10:50 PM
Updated July 4, 2010 at 10:51 PM
Stats:
Replies:7 Overall Rating:5
Views:9492 Votes:0
Shares:0
Categories: ASA
+

Related Content

 

Discussions Leaderboard

Rank Username Points
1
Federico Coto F...
1,913
2
Jouni Forss
1,876
3
Marvin Rhoads
1,595
4
Karsten Iwen
1,109
5
Jon Marshall
683
Rank Username Points
Jon Marshall
145
rizwanr74
77
Karsten Iwen
46
Marvin Rhoads
25
antondaneyko
10