Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Phase-2 PFS Problem

Unanswered Question
Sep 19th, 2013
User Badges:

Hi All,

Faced some kind of strange problem when setting up VPN tunnle between cisco routers & Juniper ISG firewall.

Problem what we faced is , VPN tunnel came up in phase-1 & phase-2 also and we were able to to icmp & telnet test as well.

however when users came on work they faced frequent disconnection..i mean first webpage used to open & next no....or in other applictions first sessions used to go through but next not..since i was not on battel field i dont know exact logs which showing status in terms of connection.

But when investigated what i found is PFS in Cisco router was disable & where as in Juniper it was enabled at with Group-1.

I feel issue could have happen due to PFS only...can someone please help me to know if that is the reason? (Verfied MSS erros but didnt see those).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tariq Bader Fri, 09/20/2013 - 18:17
User Badges:

If you have PFS enabled on one end it has to be also enabled on the other end.

This is additional security for the IPSEC tunnel encryption keys using deffie helman groups, not having this setting matched on both ends will affect the traffic.



yogesh.suryawanshi Fri, 09/20/2013 - 21:25
User Badges:

Thanks Tariq,

Understood. Later what i undestood is that at Juniper end PFS Group-2 was enabled & cisco router end  PFS Group-1 was enabled..Do you think in that case telnet will work & apps dont.

In same setup with another cisco edge router PFS Group-1 was cofigured but looks that override & applications worked perfect. At offshore it was same Juniper & configurations.


Tariq Bader Fri, 09/20/2013 - 23:57
User Badges:

Thsi could be really because the overhead PFS adds to tge traffic.

Do you have the df bit set or clear ?

Can you disable the PFS and see ?

Is this happen for tcp applications only or even pings ?

To be more sure please provide your configuration.

Can you

Sent from Cisco Technical Support Android App


This Discussion