Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

VPN between Cisco PIX 525 and Juniper SRX 100 Not Working

Posted on 2015-02-10
3
Medium Priority
?
131 Views
Last Modified: 2015-02-17
Due to a recent merger, we're faced with setting up a site-to-site tunnel between a Cisco device and Juniper device.  We get the tunnel up but it doesn't stay up reliably.  It drops without apparent reason and it's been impossible thus far to determine the cause.  The Cisco logs merely show a timeout and thus far, I've been unable to locate anything in the Juniper logs (still new to it so I haven't gotten far there yet).  Thus I have little to go on.  But while I'm searching (and pulling my hair out), I thought I'd run it by the experts to see if anyone had a similar problem just in case.....  Attached are the config files for review.  

Thank you and perhaps you can save what's left of my hair.
ExpertsExchangePosting.txt
0
Comment
Question by:ejefferson213
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40602350
Check the time out values for phase1 and phase2.
If you are not rekeying properly, it will cause you this type of grief. There is a value in the Juniper you can set which will allow a soft-rekey, basically allows the expired key to work for a short "float" period. This is where I would start.

it is odd on the pix side that you set the sa timeout to the same value as the ike. I did not see values specified in the juniper. I may have missed it. Junos may be different, but the defaults in screenos are 28800 and 3600 seconds respectively.

One last item, your transform sets are encrypting at the levels you want them.
In junos I believe that the predefined are: (I had to pull the old book out for this one).
The predefined Phase 1 proposals that JUNOS Software provides are as follows:
■ Standard—pre-g2-aes128-sha and pre-g2-3des-sha
■ Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and
pre-g2-des-md5
■ Basic—pre-g1-des-sha and pre-g1-des-md5
The predefined Phase 2 proposals that JUNOS Software provides are as follows:
■ Standard—g2-esp-3des-sha and g2-esp-aes128-sha
■ Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
Phase 2 Proposals for IPsec VPNs ■ 363
Chapter 16: Internet Protocol Security
■ Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Last but not least, back to the timeouts, you also have a data limit defined for rekey (which is fine) but both sides should match.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Good luck, but I believe this will put you in the right area!
Matt
0
 
LVL 3

Accepted Solution

by:
Matthew Borrusso earned 2000 total points
ID: 40602352
Let me re-phrase my first statement. I would start with looking at the timeout values.. I would not worry about the softkey unless there is some odd timing issue going on past that (NTP usually clears that right up).
0
 

Author Closing Comment

by:ejefferson213
ID: 40614192
I made the changes you requested but unfortunately, the tunnel is still unreliable.  I'm presently working with the Juniper folks and a consultant in an attempt to fix this problem.  Thank you for taking the time to offer advice and I'll just keep at it........
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question