VPN between cisco 877 and Juniper SSG

ryancisco01 · ‎11-17-2013

Hi Guys,

I have a Juniper SSg350 workign as a Ipsec site to site VPN hub. I have multiple SSG20 and SRX110's out at remote sites which connect to the VPN and all are working well.

recently I deployed two Ciscos, one 877 and one 878 and connected to the Juniper. Both connected fine, however they disconnect frequenrttly - and I'm tlaking probably 50-100 time a a day!

I don't see any real error messages, it looks to be totally normal tear down and rebuild process but I can't get them stable.

One thign to note that i saw when debuging crypto ipsec errors was this:

Nov 18 12:53:02: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Nov 18 12:53:12: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Nov 18 12:53:22: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Nov 18 12:53:32: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

which inidcates that the ACl is wrong, so I would usually just have th eone line in my acl, so I added the second so both the Juniper and cisco have two extact matches lines in the policies (Juniper does both directions by default)

Cisco config:

crypto isakmp policy 15

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key *** address ***

!

crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac

!

crypto map *** 11 ipsec-isakmp

set peer ***

set transform-set aes-sha

set pfs group2

match address IF-encrypt

!

interface Vlan1

ip address 192.168.83.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip unnumbered Loopback0

ip mtu 1492

ip virtual-reassembly max-reassemblies 1024

crypto map ***

!

ip nat inside source list 105 interface Loopback0 overload

!

ip access-list extended IF-encrypt

permit ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255

permit ip 192.168.83.0 0.0.0.255 192.168.0.0 0.0.0.255

!

access-list 105 permit ip 192.168.83.0 0.0.0.255 any

---------

I can provide the Juniper config if requirted.

here is the debug from the Cisco:

Nov 18 11:44:32: ISAKMP (2013): received packet from *** dport 500 sport 500 Global (R) QM_IDLE

Nov 18 11:44:32: ISAKMP: set new node 16342192 to QM_IDLE

Nov 18 11:44:32: ISAKMP:(2013): processing HASH payload. message ID = 16342192

Nov 18 11:44:32: ISAKMP:(2013): processing DELETE payload. message ID = 16342192

Nov 18 11:44:32: ISAKMP:(2013):peer does not do paranoid keepalives.

Nov 18 11:44:32: ISAKMP:(2013):deleting node 16342192 error FALSE reason "Informational (in) state 1"

Nov 18 11:44:33: ISAKMP (2013): received packet from 203.167.141.70 dport 500 sport 500 Global (R) QM_IDLE

Nov 18 11:44:33: ISAKMP: set new node 1271687011 to QM_IDLE

Nov 18 11:44:33: ISAKMP:(2013): processing HASH payload. message ID = 1271687011

Nov 18 11:44:33: ISAKMP:(2013): processing SA payload. message ID = 1271687011

Nov 18 11:44:33: ISAKMP:(2013):Checking IPSec proposal 1

Nov 18 11:44:33: ISAKMP: transform 1, ESP_AES

Nov 18 11:44:33: ISAKMP: attributes in transform:

Nov 18 11:44:33: ISAKMP: SA life type in seconds

Nov 18 11:44:33: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

Nov 18 11:44:33: ISAKMP: encaps is 1 (Tunnel)

Nov 18 11:44:33: ISAKMP: authenticator is HMAC-MD5

Nov 18 11:44:33: ISAKMP: group is 2

Nov 18 11:44:33: ISAKMP: key length is 128

Nov 18 11:44:33: ISAKMP:(2013):atts are acceptable.

Nov 18 11:44:33: ISAKMP:(2013): processing NONCE payload. message ID = 1271687011

Nov 18 11:44:33: ISAKMP:(2013): processing KE payload. message ID = 1271687011

Nov 18 11:44:33: ISAKMP:(2013): processing ID payload. message ID = 1271687011

Nov 18 11:44:33: ISAKMP:(2013):QM Responder gets spi

Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT

Nov 18 11:44:33: ISAKMP: Failed to find peer index node to update peer_info_list

Nov 18 11:44:33: ISAKMP:(2013):Received IPSec Install callback... proceeding with the negotiation

Nov 18 11:44:33: ISAKMP:(2013): sending packet to *** my_port 500 peer_port 500 (R) QM_IDLE

Nov 18 11:44:33: ISAKMP:(2013):Sending an IKE IPv4 Packet.

Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2

Nov 18 11:44:33: ISAKMP (2013): received packet from *** dport 500 sport 500 Global (R) QM_IDLE

Nov 18 11:44:33: ISAKMP:(2013):deleting node 1271687011 error FALSE reason "QM done (await)"

Nov 18 11:44:33: ISAKMP:(2013):Node 1271687011, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Nov 18 11:44:33: ISAKMP:(2013):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

Nov 18 11:45:22: ISAKMP:(2013):purging node 16342192

Nov 18 11:45:23: ISAKMP:(2013):purging node 1271687011

**********************************************************

and debug from the Juniper:

## 2013-11-18 12:09:31 : IKE<ip-add> clear auto sa sent: 15

## 2013-11-18 12:09:31 : IKE<ip-add> clear sa recv: 15

## 2013-11-18 12:09:31 : IKE<ip-add> deactive p2 sa 15 send_delete 1

## 2013-11-18 12:09:31 : IKE<ip-add> Send IPSEC delete for sa 15, mode 1

## 2013-11-18 12:09:31 : IKE<ip-add> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port

## 2013-11-18 12:09:31 : IKE<ip-add> sending phase 2 (SA15) delete to <ip ip-add> spi<45bcedb1>

## 2013-11-18 12:09:31 : IKE<ip-add> Create conn entry...

## 2013-11-18 12:09:31 : IKE<ip-add> ...done(new ca265422)

## 2013-11-18 12:09:31 : IKE<ip-add> Construct ISAKMP header.

## 2013-11-18 12:09:31 : IKE<ip-add> Msg header built (next payload #8)

## 2013-11-18 12:09:31 : IKE<ip-add> Construct [HASH]

## 2013-11-18 12:09:31 : IKE<ip-add> construct QM HASH

## 2013-11-18 12:09:31 : IKE<ip-add> P2 message header:

## 2013-11-18 12:09:31 : IKE<ip-add > Xmit*: [HASH] [DELETE]

## 2013-11-18 12:09:31 : IKE<ip-add> Encrypt P2 payload (len 68)

## 2013-11-18 12:09:31 : IKE<ip-add > clear p2 pkt dump:

## 2013-11-18 12:09:31 : IKE<ip-add > iv:

## 2013-11-18 12:09:31 : IKE<ip-add > new iv:

## 2013-11-18 12:09:31 : IKE<ip-add> Initiator sending IPv4 IP ip-add/port 500

## 2013-11-18 12:09:31 : IKE<ip-add> Send Phase 2 packet (len=76)

## 2013-11-18 12:09:31 : IKE<ip-add> ipsec delete packet sent, type=3, spi=45bcedb1

## 2013-11-18 12:09:31 : IKE<ip-add> Delete conn entry...

## 2013-11-18 12:16:43 : IKE<ip-add> Phase 2 msg-id <26c6f99c>: Received responder lifetime notification.(0 sec/4608000 Kb)

## 2013-11-18 12:16:43 : IKE<ip-add> Phase 2 msg-id <26c6f99c>: Completed Quick Mode negotiation with SPI <45bcedbb>, tunnel ID <27>, and lifetime <3600> seconds/<4194303> KB.

-----------------------

show ipsec:

interface: Dialer0

Crypto map tag: ipsec, local addr ip-add

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.83.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer ip add port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26

#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 104

local crypto endpt.: ipadd, remote crypto endpt.: ipadd

path mtu 1492, ip mtu 1492, ip mtu idb Dialer0

current outbound spi: 0x45BCEDE7(1170009575)

PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0x4C3F6F5B(1279225691)

transform: esp-aes esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 751, flow_id: Onboard VPN:751, sibling_flags 80000046, crypto map: ipsec-corks

sa timing: remaining key lifetime (k/sec): (4549312/3494)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x45BCEDE7(1170009575)

transform: esp-aes esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 752, flow_id: Onboard VPN:752, sibling_flags 80000046, crypto map: ipsec-corks

sa timing: remaining key lifetime (k/sec): (4549314/3494)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

Any ideas would be greatly appreciated!!

Jeff Van Houten · ‎11-17-2013

Do you need PFS for the Juniper? Have you tried without PFS?

Sent from Cisco Technical Support iPad App

ryancisco01 · ‎11-18-2013

Well it was enable don both the Juniper and the Cisoc. I have disabled it on both sides now. Will see if it makes any difference!

ryancisco01 · ‎11-18-2013

Nope didnt make a difference, 11 disconnects in just over an hour

Rejohn Cuares · ‎11-19-2013

Can you put an ISAKMP keepalive and/or IP SLA so tunnel is always up.

Sent from Cisco Technical Support iPhone App

Please rate replies and mark question as "answered" if applicable.

ryancisco01 · ‎11-19-2013

I enabled DPD on both the Juniper and the Cisco.

I am seeing this in the debugs now, does it look correct?

Nov 20 14:47:07: ISAKMP:(2027):purging node -797132523

Nov 20 14:47:15: ISAKMP: set new node 1984029109 to QM_IDLE

Nov 20 14:47:15: ISAKMP:(2027):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 249726800, message ID = 1984029109

Nov 20 14:47:15: ISAKMP:(2027): seq. no 0x1A1FA2E4

Nov 20 14:47:15: ISAKMP:(2027): sending packet to IPADD my_port 500 peer_port 500 (I) QM_IDLE

Nov 20 14:47:15: ISAKMP:(2027):Sending an IKE IPv4 Packet.

Nov 20 14:47:15: ISAKMP:(2027):purging node 1984029109

Nov 20 14:47:15: ISAKMP:(2027):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE

Nov 20 14:47:15: ISAKMP:(2027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 20 14:47:15: ISAKMP (2027): received packet from IPADD dport 500 sport 500 Global (I) QM_IDLE

Nov 20 14:47:15: ISAKMP: set new node -438422623 to QM_IDLE

Nov 20 14:47:15: ISAKMP:(2027): processing HASH payload. message ID = 3856544673

Nov 20 14:47:15: ISAKMP:(2027): processing NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 0, message ID = 3856544673, sa = 0x10BBC60

Nov 20 14:47:15: ISAKMP:(2027): DPD/R_U_THERE_ACK received from peer IPADD, sequence 0x1A1FA2E4

Nov 20 14:47:15: ISAKMP:(2027):deleting node -438422623 error FALSE reason "Informational (in) state 1"

Nov 20 14:47:15: ISAKMP:(2027):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 20 14:47:15: ISAKMP:(2027):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Ill let it run for a couple of hours and report back if it stays connected now

ryancisco01 · ‎11-19-2013

Ok even with DPD/keepalives on I still got 2 disconnections within 20 minutes.. from 2 different sites.

I would prefer not to use an |IP SLA, because the isakmp keealive udps should be enough in themselves to keep the tunnel interested.

anyone else got a similair setup working that could share config? I have run out of ideas.

ryancisco01 · ‎11-25-2013

ok for anyone else having this issue, I solved it by disabling "VPN Monitor" on the Juniper. VPN monitor will send ICMP when there is no user data on the VPN. If a ping is not replied to the tunnel is terminated. I could have kept this feature enabled and set the correct source interfaces which would probably have worked however having DPD seemed enough for me. Haven't had a drop in 48 hours