Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

The VPN tunnel between ASA 5500 and Netscreen does not come up

Core issue

These are among the reasons for this issue:

  • Mismatching phase one policies

  • Mismatching crypto Access Control Lists (ACLs)

  • Wrong IP address defined for peer on either devices
     
  • NAT bypass

  • Mismatching pre-share key

  • Perfect Forward Secrecy (PFS) is enabled or disabled on either end

Resolution

To resolve this issue, perform these steps:

  1. Check if phase one comes up or not. If not, match the Internet Security Association and Key Management Control Policies (ISAKMP), pre-share key and IP address for peer.

  2. If phase two does not come up, match the ACLs, and make sure that natting is being bypassed.

  3. If everything matches and the tunnel is still not coming up, determine if PFS is enable or disabled. PFS must be enabled or disabled on both ends.

PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.

Note: PFS is disabled by default on Adaptive Security Appliance (ASA).

For addition information about PFS, refer to the Configuring Perfect Forward Secrecy section of Configuring Group Policies.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:10 PM
Updated by:
 
Labels (1)