Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA to Netscreen L2L ?

I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper Netscreen Firewall. I can't find any recent documentation regarding this setup. I'm receiving some error messages from the ASDM which are below:

4 Jun 25 2007 14:32:54 713903 Group = 2.2.155.253, IP = 2.2.155.253, Freeing previously allocated memory for authorization-dn-attributes

3 Jun 25 2007 14:32:54 713119 Group = 2.2.155.253, IP = 2.2.155.253, PHASE 1 COMPLETED

3 Jun 25 2007 14:32:54 713122 IP = 2.2.155.253, Keep-alives configured on but peer does not support keep-alives (type = None)

5 Jun 25 2007 14:32:54 713904 Group = 2.2.155.253, IP = 2.2.155.253, All IPSec SA proposals found unacceptable!

3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, QM FSM error (P2 struct &0x4274390, mess id 0x10055b4)!

3 Jun 25 2007 14:32:54 713902 Group = 2.2.155.253, IP = 2.2.155.253, Removing peer from correlator table failed, no match!

The VPN config is provided. Anything stand out? or anyone else get this to work? Any comments welcome.

Chris Serafin

chris@chrisserafin.com

2 REPLIES
Community Member

Re: ASA to Netscreen L2L ?

Are you sure that the IPSEC configuration on both devices are matching perfectly? Your Phase 1 Completed implies that your ISAKMP tunnel is created so that moves you past the ISAKMP and it says that your IPSEC Proposal is bad so on your ASA you have it set up for ESP-3DES ESP-MD5-HMAC also you have PFS Group 2 on make sure you have that set up on your NetScreen

Hall of Fame Super Blue

Re: ASA to Netscreen L2L ?

Hi

I think Bob is correct. In addtion could you check your lieftimes on your Phase 2 as well.

It may also be worth temporarily turning off pfs as i have seen issues with this and other 3rd party firewalls.

HTH

Jon

532
Views
0
Helpful
2
Replies
CreatePlease to create content