VPN between 6500 Sup720 with SPA accelerated card and NetScreen.

Unanswered Question
Aug 25th, 2010

I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.

but this connection from my side gets:

When I initiate the connection with debug cry is

peer does not accept paranoid keepalive.

deletes the connection after Phase 1.

When Netscreen initiates the connection it gets to:

Phase 2 and and QM_IDLE.

I working with the other end to try to get a debug when he tries to connect.

When I have seen this in the past, I just added cryto isakmp keepalives 30.

The NetScreen setup is:

External interface

VPN Peer


Encryption 3DES

Hash MD5

Group 2 Remote Server Internal server

Preshared Key XXXX

Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :

Crypto isakmp key XXXX address

Crypto isakmp transform-set 3des esp-3des esp-md5-hmac

Mode transport

Crypto isakmp policy 10

Enc 3des

Hash md5

Authentication pre-share

Crypt map IPSecTunnel 80 ipsec-isakmp

  Des VPN_NetScreen

  Set peer

  Set transform-set 3des

  Match address CryptoMap_NetScreen

Ip access-list extended CryptoMap_NetScreen

Permit ip host host

Permit udp host eq isakmp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Wed, 08/25/2010 - 13:34

You might need to remove "Permit udp host eq isakmp" from CAT6500 side.

Please provide the debug output if you would like us to troubleshoot it.

geraldjacksontx Thu, 08/26/2010 - 11:16

I found the problem with my side anyway.

you need to set - pfs group2  if you are using group2 DH


This Discussion