Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
5
Replies

Cisco 800 VPN to a NetScreen-25

Go to solution
jfarrer
Level 1
Level 1

‎11-28-2006 09:47 AM - edited ‎02-21-2020 02:44 PM

I am trying to configure a VPN tunnel between a Cisco 800 router and a NetScreen-25 firewall. I am able to complete Phase 1, but Phase 2 debugs show "peer not found". What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to jfarrer

‎11-28-2006 06:48 PM

Jack,

The crypto configuration on the 800 router has overlapping access-lists.

Crypto map access-list 115 and 116 are overlapping. Meaning, the destination is the same network and they are to two different peers.

access-list 115 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255

access-list 116 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255

access-list 116 permit ip 192.168.101.0 0.0.0.255 192.168.103.64 0.0.0.31

Also, access-list 116 has a destination of 192.168.103.64 0.0.0.31 which is your network.

Please update the configuration and try to bring up the tunnel.

Let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎11-28-2006 10:50 AM

Hello,

Would it be possible if you could please upload the config from the Cisco 800 series router.

Thanks

Gilbert

0 Helpful

Go to solution
jfarrer
Level 1
Level 1
In response to ggilbert

‎11-28-2006 05:08 PM

here are the configs for the Cisco 800 and the NetScreen

Preview file
5 KB
0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to jfarrer

‎11-28-2006 06:48 PM

Jack,

The crypto configuration on the 800 router has overlapping access-lists.

Crypto map access-list 115 and 116 are overlapping. Meaning, the destination is the same network and they are to two different peers.

access-list 115 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255

access-list 116 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255

access-list 116 permit ip 192.168.101.0 0.0.0.255 192.168.103.64 0.0.0.31

Also, access-list 116 has a destination of 192.168.103.64 0.0.0.31 which is your network.

Please update the configuration and try to bring up the tunnel.

Let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to ajagadee

‎11-29-2006 07:26 AM

Jack,

Also take a look at ACL - 117

access-list 117 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255

access-list 117 permit ip 192.168.101.0 0.0.0.255 192.168.103.64 0.0.0.31

You do not need the second entry.

Cheers

Gilbert

- Rate it, if it helps -

0 Helpful

Go to solution
jfarrer
Level 1
Level 1
In response to ajagadee

‎11-30-2006 09:56 AM

Arul,

That did the trick. I removed the overlapping peer and removed the access lists that weren't being used. Thanks for you help.

Jack.

0 Helpful
Customers Also Viewed These Support Documents