We have a client who want to setup a Site-to-Site VPN tunnel between a new purchased ASA 5510 located in his branch office with his Juniper SSG20 located in the main office. We contacted HP and they send us a Cisco professional to do the job.
After 2 days from 4 PM to 10 PM of trial and error and countless hours of online search and nunerous calls, we are still unable to get the traffic from the branch network to go into the tunnel.
192.168.8.0/24 |ASA|-----------------------------------|Juniper| 192.168.1.0/24
According to the Cisco professional, the tunnel is now up however no traffic is going through. We are unable to ping anything on the other side's network (192.168.1.0/24). We are getting ping timeout all the time. The Cisco professional has told us that this is either a routing or NAT problem and that he is working on a solution!
Through search, I came across a post on Experts-Exchange (here) [The 1st comment on the original post] that states ".....that both sides of the VPN should have a different LAN class for the VPN to work...." Could that be our problem??
This has become a critical problem to the point that we had to replace the Cisco ASA with a temporary Juniper SSG5 on a different subnet (192.168.7.0/24) to get the tunnel up and traffic through till the ASA VPN issue is solved and I do not need to say that the client is killing us!
Help is much appreciated.
1. Yes, ping packet from the ASA private interface is considered interesting traffic towards the Juniper LAN.
From the ASA, you would need to source the traffic from the private interface of the ASA because the interesting traffic determine by crypto ACL MYLIST is between 192.168.8.0/24 and 192.168.1.0/24.
You would also need to add the following configuration to be able to source the ping from the ASA private interface:
To initiate ping from ASA private interface:
ping Private 192.168.1.254
2. The default timeout before the next rekey is normally 28800 seconds, and if there is no interesting traffic flowing between the 2 subnets, it will tear the VPN tunnel down. Once there is interesting traffic, the VPN tunnel will be automatically built until the next rekey. However, if there is traffic prior to rekey, the tunnel new SA will get established, and VPN tunnel will continue to stay up and will continue to encrypt and decrypt traffic.
Currently, your configuration has been set with SA lifetime of 3600 seconds OR/ 4608000 kilobytes of traffic before the next rekey (It will be either 3600 seconds or 4608000 kilobytes whichever expires first). You can definitely change it back to the default of 28800 seconds without the kilobytes configuration. The SA lifetime is negotiated between ASA and Juniper and whichever lowest value will be the one used.
Hope that helps.