vpn disconnection between juniper and cisco pix
Dear all,
we have an issue of connection droping between our branch office and HO.
Our branch office is connected to our HO thru a vpn link over ADSL line.
HO is having cisco pix 515 with a fixed ip address and the branch office is having Juniper NS5GT ADSL with dynamic ip.
Connections are established and the ERP and Outlook works fine for some time.After 20-30Minutes,connection drops.It gets reconnected automatically after 5-10 Minutes.
The branch office router log says the following before disconnection
"Cannot connect to e-mail server 192.9.200.3.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 2 msg ID <98f4d36b>: Completed negotiations with SPI <3e578c78>, tunnel ID <1>, and lifetime <3600> seconds/<4608000> KB.
2011-04-04 16:07:05 info IKE<88.201.31.108>: Phase 2 msg ID <98f4d36b>: Received responder lifetime notification. (0 sec/4608000 KB)
2011-04-04 16:07:05 info IKE<88.201.31.108>: Received a notification message for DOI <1> <24576> <RESPONDER-LIFETIME>.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 2: Initiated negotiations.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
2011-04-04 16:07:04 info IKE<77.69.214.5> >> <88.201.31.108> Phase 1: Initiated negotiations in main mode.
2011-04-04 16:06:32 warn Cannot connect to e-mail server 192.9.200.3.
"
Please advice us how to solve the issue .
Thank you .
we have an issue of connection droping between our branch office and HO.
Our branch office is connected to our HO thru a vpn link over ADSL line.
HO is having cisco pix 515 with a fixed ip address and the branch office is having Juniper NS5GT ADSL with dynamic ip.
Connections are established and the ERP and Outlook works fine for some time.After 20-30Minutes,connection drops.It gets reconnected automatically after 5-10 Minutes.
The branch office router log says the following before disconnection
"Cannot connect to e-mail server 192.9.200.3.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 2 msg ID <98f4d36b>: Completed negotiations with SPI <3e578c78>, tunnel ID <1>, and lifetime <3600> seconds/<4608000> KB.
2011-04-04 16:07:05 info IKE<88.201.31.108>: Phase 2 msg ID <98f4d36b>: Received responder lifetime notification. (0 sec/4608000 KB)
2011-04-04 16:07:05 info IKE<88.201.31.108>: Received a notification message for DOI <1> <24576> <RESPONDER-LIFETIME>.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 2: Initiated negotiations.
2011-04-04 16:07:05 info IKE<88.201.31.108> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
2011-04-04 16:07:04 info IKE<77.69.214.5> >> <88.201.31.108> Phase 1: Initiated negotiations in main mode.
2011-04-04 16:06:32 warn Cannot connect to e-mail server 192.9.200.3.
"
Please advice us how to solve the issue .
Thank you .
John Meggers
How is the PIX configured to recognize a VPN coming from a dynamic address? The Cisco solution to this is typically EZVPN but that's not supported by Juniper. Can you post the configs?
ASKER
Thanks for the prompt reply.
Please see below the pix config.
"floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map tonetscreen 10 match address nonat
crypto dynamic-map tonetscreen 10 set transform-set strongsha
crypto map netscreen 20 ipsec-isakmp dynamic tonetscreen
crypto map netscreen interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
"
Please let us know , if you require the full pix config
Thank you
Please see below the pix config.
"floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map tonetscreen 10 match address nonat
crypto dynamic-map tonetscreen 10 set transform-set strongsha
crypto map netscreen 20 ipsec-isakmp dynamic tonetscreen
crypto map netscreen interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
"
Please let us know , if you require the full pix config
Thank you
That looks very much like an EZVPN configuration. I know it can be done, I had to set it up for a customer a few years ago but I doubt I still have the configs.
In your case, does the tunnel connect and are you ever able to reach the e-mail server for any period of time? Looks to me from the error messages like it's an issue related to the lifetime of the duration of the connection.
It might be helpful to see the Juniper side as well. I'm not familiar with the Juniper side to evaluate the configuration, maybe someone else can respond that is able to do that.
In your case, does the tunnel connect and are you ever able to reach the e-mail server for any period of time? Looks to me from the error messages like it's an issue related to the lifetime of the duration of the connection.
It might be helpful to see the Juniper side as well. I'm not familiar with the Juniper side to evaluate the configuration, maybe someone else can respond that is able to do that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.