vpn disconnection between juniper and cisco pix

Dear all,
we have an issue of connection droping between our branch office and HO.

Our branch office is connected to our HO thru a vpn link over ADSL line.
HO is having cisco pix 515 with a fixed ip address  and the branch office is having Juniper NS5GT ADSL with dynamic ip.
Connections are established and the ERP and Outlook works fine for some time.After 20-30Minutes,connection drops.It gets reconnected automatically after 5-10 Minutes.

The branch office router log says the following before disconnection

"Cannot connect to e-mail server 192.9.200.3.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 2 msg ID <98f4d36b>: Completed negotiations with SPI <3e578c78>, tunnel ID <1>, and lifetime <3600> seconds/<4608000> KB.
2011-04-04 16:07:05 info IKE<88.201.31.108>: Phase 2 msg ID <98f4d36b>: Received responder lifetime notification. (0 sec/4608000 KB)

2011-04-04 16:07:05 info IKE<88.201.31.108>: Received a notification message for DOI <1> <24576> <RESPONDER-LIFETIME>.

2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 2: Initiated negotiations.

2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.

2011-04-04 16:07:04 info IKE<77.69.214.5> >> <88.201.31.108> Phase 1: Initiated negotiations in main mode.

2011-04-04 16:06:32 warn Cannot connect to e-mail server 192.9.200.3.
"
Please advice us how to solve the issue .
Thank you .
BINUGEORGEJOHNAsked:
Who is Participating?
 
DanJCommented:
try enabling the keepalive on the pix. the connection may be idle.
isakmp keepalive <seconds>

0
 
John MeggersNetwork ArchitectCommented:
How is the PIX configured to recognize a VPN coming from a dynamic address?  The Cisco solution to this is typically EZVPN but that's not supported by Juniper.  Can you post the configs?
0
 
BINUGEORGEJOHNAuthor Commented:
Thanks  for the prompt reply.
Please see below the pix config.

"floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map tonetscreen 10 match address nonat
crypto dynamic-map tonetscreen 10 set transform-set strongsha
crypto map netscreen 20 ipsec-isakmp dynamic tonetscreen
crypto map netscreen interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
"
Please let us know , if you require the full pix config
Thank you
0
 
John MeggersNetwork ArchitectCommented:
That looks very much like an EZVPN configuration.  I know it can be done, I had to set it up for a customer a few years ago but I doubt I still have the configs.  

In your case, does the tunnel connect and are you ever able to reach the e-mail server for any period of time?  Looks to me from the error messages like it's an issue related to the lifetime of the duration of the connection.  

It might be helpful to see the Juniper side as well.  I'm not familiar with the Juniper side to evaluate the configuration, maybe someone else can respond that is able to do that.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.