Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Phase-2 PFS Problem

Hi All,

Faced some kind of strange problem when setting up VPN tunnle between cisco routers & Juniper ISG firewall.

Problem what we faced is , VPN tunnel came up in phase-1 & phase-2 also and we were able to to icmp & telnet test as well.

however when users came on work they faced frequent disconnection..i mean first webpage used to open & next no....or in other applictions first sessions used to go through but next not..since i was not on battel field i dont know exact logs which showing status in terms of connection.

But when investigated what i found is PFS in Cisco router was disable & where as in Juniper it was enabled at with Group-1.

I feel issue could have happen due to PFS only...can someone please help me to know if that is the reason? (Verfied MSS erros but didnt see those).

Yogesh

Everyone's tags (2)
3 REPLIES
New Member

Phase-2 PFS Problem

If you have PFS enabled on one end it has to be also enabled on the other end.

This is additional security for the IPSEC tunnel encryption keys using deffie helman groups, not having this setting matched on both ends will affect the traffic.

Regards,

Tariq

Phase-2 PFS Problem

Thanks Tariq,

Understood. Later what i undestood is that at Juniper end PFS Group-2 was enabled & cisco router end  PFS Group-1 was enabled..Do you think in that case telnet will work & apps dont.

In same setup with another cisco edge router PFS Group-1 was cofigured but looks that override & applications worked perfect. At offshore it was same Juniper & configurations.

Yogesh

New Member

Re:Phase-2 PFS Problem

Thsi could be really because the overhead PFS adds to tge traffic.

Do you have the df bit set or clear ?

Can you disable the PFS and see ?

Is this happen for tcp applications only or even pings ?

To be more sure please provide your configuration.

Can you


Sent from Cisco Technical Support Android App

433
Views
0
Helpful
3
Replies
CreatePlease to create content