08-25-2010 08:14 AM
I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.
but this connection from my side gets:
When I initiate the connection with debug cry is
peer does not accept paranoid keepalive.
deletes the connection after Phase 1.
When Netscreen initiates the connection it gets to:
Phase 2 and and QM_IDLE.
I working with the other end to try to get a debug when he tries to connect.
When I have seen this in the past, I just added cryto isakmp keepalives 30.
The NetScreen setup is:
External interface 3.3.3.14
VPN Peer 4.4.4.34
ESP-3DES-MD5
Encryption 3DES
Hash MD5
Group 2
2.2.2.145 Remote Server
3.3.3.184 Internal server
Preshared Key XXXX
Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :
Crypto isakmp key XXXX address 3.3.3.14
Crypto isakmp transform-set 3des esp-3des esp-md5-hmac
Mode transport
Crypto isakmp policy 10
Enc 3des
Hash md5
Authentication pre-share
Crypt map IPSecTunnel 80 ipsec-isakmp
Des VPN_NetScreen
Set peer 3.3.3.14
Set transform-set 3des
Match address CryptoMap_NetScreen
Ip access-list extended CryptoMap_NetScreen
Permit ip host 2.2.2.145 host 3.3.3.184
Permit udp host 4.4.4.34 eq isakmp 3.3.3.14
08-25-2010 01:34 PM
You might need to remove "Permit udp host 4.4.4.34 eq isakmp 3.3.3.14" from CAT6500 side.
Please provide the debug output if you would like us to troubleshoot it.
08-26-2010 11:16 AM
I found the problem with my side anyway.
you need to set - pfs group2 if you are using group2 DH
08-26-2010 11:17 AM
At least with Netscreen, I have customers with ASA that it works without.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: