Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
The VPN tunnel between ASA 5500 and Netscreen does not come up
These are among the reasons for this issue:
Mismatching phase one policies
Mismatching crypto Access Control Lists (ACLs)
Wrong IP address defined for peer on either devices
Mismatching pre-share key
Perfect Forward Secrecy (PFS) is enabled or disabled on either end
To resolve this issue, perform these steps:
Check if phase one comes up or not. If not, match the Internet Security Association and Key Management Control Policies (ISAKMP), pre-share key and IP address for peer.
If phase two does not come up, match the ACLs, and make sure that natting is being bypassed.
If everything matches and the tunnel is still not coming up, determine if PFS is enable or disabled. PFS must be enabled or disabled on both ends.
PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.
Note: PFS is disabled by default on Adaptive Security Appliance (ASA).