VPN between 6500 Sup720 with SPA accelerated card and NetScreen.

Unanswered Question
Aug 25th, 2010
User Badges:

I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.

but this connection from my side gets:

When I initiate the connection with debug cry is

peer does not accept paranoid keepalive.

deletes the connection after Phase 1.

When Netscreen initiates the connection it gets to:

Phase 2 and and QM_IDLE.

I working with the other end to try to get a debug when he tries to connect.

When I have seen this in the past, I just added cryto isakmp keepalives 30.

The NetScreen setup is:

External interface

VPN Peer


Encryption 3DES

Hash MD5

Group 2 Remote Server Internal server

Preshared Key XXXX

Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :

Crypto isakmp key XXXX address

Crypto isakmp transform-set 3des esp-3des esp-md5-hmac

Mode transport

Crypto isakmp policy 10

Enc 3des

Hash md5

Authentication pre-share

Crypt map IPSecTunnel 80 ipsec-isakmp

  Des VPN_NetScreen

  Set peer

  Set transform-set 3des

  Match address CryptoMap_NetScreen

Ip access-list extended CryptoMap_NetScreen

Permit ip host host

Permit udp host eq isakmp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Wed, 08/25/2010 - 13:34
User Badges:
  • Gold, 750 points or more

You might need to remove "Permit udp host eq isakmp" from CAT6500 side.

Please provide the debug output if you would like us to troubleshoot it.

geraldjacksontx Thu, 08/26/2010 - 11:16
User Badges:

I found the problem with my side anyway.

you need to set - pfs group2  if you are using group2 DH

geraldjacksontx Thu, 08/26/2010 - 11:17
User Badges:

At least with Netscreen, I have customers with ASA that it works without.


This Discussion