Advertisement

08.16.2007 at 04:01AM PDT, ID: 22766492
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.8
Watchguard to Netscreen IPSEC issue
Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Watchguard Firewall
Issue connecting Watchguard 1000 to NetscreenFirewall.  IPSEC Tunnel.

The tunnel can be brought up from the watchguard end only, but when trying to bring up from Netscreen, no responce..

Pinging the remote address from watchguard = Success
Pinging remote address from Netscreen = Fail.

Why is there no response when pinging from the netscreen side?
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: dpicksley
Solution Provided By: dpicksley
Participating Experts: 3
Solution Grade: A
Views: 43
Translate:
Loading Advertisement...
08.16.2007 at 04:23AM PDT, ID: 19706917
dpicksley:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.16.2007 at 04:52AM PDT, ID: 19707102

Rank: Guru

dpk_wal:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.16.2007 at 04:56AM PDT, ID: 19707125
dpicksley:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.16.2007 at 05:04AM PDT, ID: 19707192

Rank: Guru

dpk_wal:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.16.2007 at 05:34AM PDT, ID: 19707379
dpicksley:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.16.2007 at 06:38AM PDT, ID: 19707914
dpicksley:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.16.2007 at 08:41AM PDT, ID: 19709200
uktechnical:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.17.2007 at 08:31AM PDT, ID: 19717648
dpicksley:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
08.17.2007 at 09:52AM PDT, ID: 19718359

Rank: Guru

dpk_wal:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
11.08.2007 at 07:10PM PST, ID: 20247345
jfruin:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
11.09.2007 at 01:39AM PST, ID: 20248263
dpicksley:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
11.09.2007 at 05:10AM PST, ID: 20249094
jfruin:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
08.16.2007 at 04:23AM PDT, ID: 19706917
dpicksley:
When the Netscreen trys to create the tunnel the Watchgaurd log shows:-
From 80.169.*.* MM-HDR ISA_SA_VENDORID ISA_VENDORID
TO 80.169.*.* MM-HDR ASA_SA
FROM 80.169.*.* MM-HDR ISA_KE ISA_NONCE
TO 80.169.*.* MM-HDR ISA_KE ISA_NONCE
Crypto ACTIVE after delay
FROM 80.169.*.* MM-HDR* ISA_ID ISA _HASH
Unable to find gw by hisid
Unable to fill local ID
Main mode processing failed

Your help would be appreciated.
 
08.16.2007 at 04:52AM PDT, ID: 19707102

Rank: Guru

dpk_wal:
Phase I of your VPN is failing. Are you using domain name for WG, i.e., does WG side has dynamic IP address. If yes, then please use domain name as per your service provider.
Also, make sure that the phase I settings in terms of encryption, hashing algorithms and pre-shared keys are identical.

Once the settings are same and correct this get the tunnel up.

Thank you.
 
08.16.2007 at 04:56AM PDT, ID: 19707125
dpicksley:
We have a static ip and the  above are all identical, it creates the tunnel to the netscreen and works but when the tunnel expires and is tried to be created from the netscreen side it wont connect resulting in the above error.

Dan
 
08.16.2007 at 05:04AM PDT, ID: 19707192

Rank: Guru

dpk_wal:
What policies do you have in place on netscreen for VPN traffic. I think it is a misconfigured policy which is not allowing traffic to go from the netscreen end to WG.
 
08.16.2007 at 05:34AM PDT, ID: 19707379
dpicksley:
This is at the customers end, i shall ask the third party to take a look.
 
08.16.2007 at 06:38AM PDT, ID: 19707914
dpicksley:
Data is being sent from the Netscreen to the watchguard, the watchguard acknowledges the data by the information in post2.
After the netscreen attempts to connect is shows this in the log.

2007-08-16 14:28:08  info  IKE<194.70.*.*> Phase 1: Retransmission limit has been reached.  
2007-08-16 14:27:47  info  IKE<194.70.*.*> Phase 1: Retransmission limit has been reached.  
2007-08-16 14:27:18  info  IKE<172.22.0.1> >> <194.70.*.*> Phase 1: Initiated negotiations in main mode.  
2007-08-16 14:26:57  info  IKE<172.22.0.1> >> <194.70.*.*> Phase 1: Initiated negotiations in main mode.  
2007-08-16 14:24:17  info  IKE<194.70.*.*> Phase 1: Retransmission limit has been reached.

The policy on the netscreen is replicated by using the bi-directional switch.

So if a connection can be made from the Watchguard to Netscreen, why does it not allow vicaversa?
 
 
08.16.2007 at 08:41AM PDT, ID: 19709200
uktechnical:
"Data is being sent from the Netscreen to the watchguard" .. Looking at that comment, I'm going to ask you what you might find a distracting/irritating question so here's why:

"Phase 1: Retransmission limit has been reached" would suggest that the NetScreen doesn't know where to look for it's peer gateway. "Unable to find gw by hisid" also.

The fact that you can establish the vpn one way suggests that your security settings are ok, p1/dh2/sha-1, etc... so you probably rule that out.

Q1) For each gateway, what are using for the IKE ID .. not the actual data, but the type of data. Is it a static IP, or are you using a dynamic ID like an FQDN or U-FQDN ?... (Can you answer for both ends?)..

Q2) If you're using static IP's ... on the NetScreen, can you ping (from the external interface) the public ip of the watchguard .. obviously you might need to enable that on the WG for it to work.

Q3) In your firewall policies at both ends, are you using an any/any passthrough or do you have one or both boxes policing the traffc that can go through/come through? ... if you're not on an any/any, now would be a good time to *temporarily* switch to one (on both ends) if you can so you can rule that out also.
 
08.17.2007 at 08:31AM PDT, ID: 19717648
dpicksley:
I have ended up using Aggressive mode on both firewalls and this worked straight away.

Regards

Dan
Accepted Solution
 
08.17.2007 at 09:52AM PDT, ID: 19718359

Rank: Guru

dpk_wal:
Good to know that the problem is solved.
 
11.08.2007 at 07:10PM PST, ID: 20247345
jfruin:
would it be posible for you to post the settngs on both the watch guard and the netscreen,  I am about to set one up that sounds very similar to what you are doing here.

thanks in advance.
 
11.09.2007 at 01:39AM PST, ID: 20248263
dpicksley:
I only did the Watchguard side, the remote end was enabled by the customer.

Simply tick the Aggressive Mode box when configuring the Gateway section of your VPN settings.

This then needs ticjing on the Netscreen box also.

Best of luck.
 
11.09.2007 at 05:10AM PST, ID: 20249094
jfruin:
Thanks
 
 
20080236-EE-VQP-29 / EE_QW_1_20070628