Cisco Support Community
Community Member

Dynamic VPN From Juniper SSG5 Uses DefaultRAGroup

I am trying to set up a VPN to an ASA5540 with a static IP address from a Juniper SSG5 with a dynamic IP address.  I have tested the configuration from an ASA to ASA and it works fine.  When I try to connect with the Juniper SSG5 it does not work.  I did a debug crypto ikev1 and it shows the SSG5 defaulting to the DefaultRAGroup.  It's supposed to use the DefaultL2LGroup.  Does anyone have an idea of what could be the problem.  I will post the configuration shortly.  I appreciate the help.

Community Member

Below is the config of the

Below is the config of the ASA.  This works fine from another ASA, but does not from the Juniper SSG5.

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 
interface GigabitEthernet2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet3
 no nameif
 no security-level
 no ip address
interface GigabitEthernet4
 no nameif
 no security-level
 no ip address
interface GigabitEthernet5
 no nameif
 no security-level
 no ip address
ftp mode passive
access-list vpn extended permit ip 
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map EXTERNAL 5 match address vpn
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set 3DES-SHA
crypto map EXTERNAL 5 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map EXTERNAL interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****

CreatePlease to create content