08-25-2010 08:14 AM
I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.
but this connection from my side gets:
When I initiate the connection with debug cry is
peer does not accept paranoid keepalive.
deletes the connection after Phase 1.
When Netscreen initiates the connection it gets to:
Phase 2 and and QM_IDLE.
I working with the other end to try to get a debug when he tries to connect.
When I have seen this in the past, I just added cryto isakmp keepalives 30.
The NetScreen setup is:
External interface 3.3.3.14
VPN Peer 4.4.4.34
ESP-3DES-MD5
Encryption 3DES
Hash MD5
Group 2
2.2.2.145 Remote Server
3.3.3.184 Internal server
Preshared Key XXXX
Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :
Crypto isakmp key XXXX address 3.3.3.14
Crypto isakmp transform-set 3des esp-3des esp-md5-hmac
Mode transport
Crypto isakmp policy 10
Enc 3des
Hash md5
Authentication pre-share
Crypt map IPSecTunnel 80 ipsec-isakmp
Des VPN_NetScreen
Set peer 3.3.3.14
Set transform-set 3des
Match address CryptoMap_NetScreen
Ip access-list extended CryptoMap_NetScreen
Permit ip host 2.2.2.145 host 3.3.3.184
Permit udp host 4.4.4.34 eq isakmp 3.3.3.14
08-25-2010 01:34 PM
You might need to remove "Permit udp host 4.4.4.34 eq isakmp 3.3.3.14" from CAT6500 side.
Please provide the debug output if you would like us to troubleshoot it.
08-26-2010 11:16 AM
I found the problem with my side anyway.
you need to set - pfs group2 if you are using group2 DH
08-26-2010 11:17 AM
At least with Netscreen, I have customers with ASA that it works without.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide