Netscreen VPN tunnel issues

I have a VPN tunnel which keeps dropping on one end I have a NS-5GT and on other end NS5XP
My system log show "Phase1 Retransmission limit has been reached"
Not much on google
any help would be great
Thank you
-evt-log.txt
Lee YogelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
>> Phase1 Retransmission limit has been reached
Indicates that the peers are not able to complete phase I of VPN negotiations; wither they are not able to reach other, for eg, if you have one end with dynamic IP and you have not used FQDN but static IP, when the IP would change the tunnel would drop.
Other option is that the pre-shared is not matching or any of the phase I option like encryption algorithm or deffie hellman group is in mismatch.

One other thing which is possible when your phase I key expires it cannot re-establish the connection and hence phase I and your VPN breaks.

Can you check when you start getting the phase I messages, do you loose internet connection at one of the sites, or if the IP address changes.

Please advice.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amoldkelkarCommented:
Hi,
You can refer the following pdf document and i am sure you will be good to go,
http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/index.html
On which you can go through the 'concepts & Examples' module.
Specifically in that module you can refer 'Volume 5 VPN > Site-to-site vpn'

Moreover you might want to check if you have the 'rekey' option enabled by which the tunnel wont be torn. Enable it on both the peers.
Go through the attached doc which talks about the 'Rekey & Optimization' options provided by netscreen. Its from the same document under 'Advanced VPN > VPN Monitoring' on page 242

Also if possible can you send across the configurations on both side so it will be easier to troubleshoot.

Regards,
-AK

rekey-vpn.doc
0
amoldkelkarCommented:
Following would be cli for enabling the rekey option in your phase II of an ipsec vpn,

C5GT-118-> set vpn vpn-1 monitor ?
<return>
optimized            optimize for scalability
rekey                trigger Rekey for autokey VPN
source-interface     send monitor message from
C5GT-118-> set vpn vpn-1 monitor


Let me know if this works out well.
0
Lee YogelAuthor Commented:
great thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.