VPN between Cisco PIX 525 and Juniper SRX 100 Not Working

Due to a recent merger, we're faced with setting up a site-to-site tunnel between a Cisco device and Juniper device.  We get the tunnel up but it doesn't stay up reliably.  It drops without apparent reason and it's been impossible thus far to determine the cause.  The Cisco logs merely show a timeout and thus far, I've been unable to locate anything in the Juniper logs (still new to it so I haven't gotten far there yet).  Thus I have little to go on.  But while I'm searching (and pulling my hair out), I thought I'd run it by the experts to see if anyone had a similar problem just in case.....  Attached are the config files for review.  

Thank you and perhaps you can save what's left of my hair.
ExpertsExchangePosting.txt
ejefferson213Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew BorrussoCommented:
Check the time out values for phase1 and phase2.
If you are not rekeying properly, it will cause you this type of grief. There is a value in the Juniper you can set which will allow a soft-rekey, basically allows the expired key to work for a short "float" period. This is where I would start.

it is odd on the pix side that you set the sa timeout to the same value as the ike. I did not see values specified in the juniper. I may have missed it. Junos may be different, but the defaults in screenos are 28800 and 3600 seconds respectively.

One last item, your transform sets are encrypting at the levels you want them.
In junos I believe that the predefined are: (I had to pull the old book out for this one).
The predefined Phase 1 proposals that JUNOS Software provides are as follows:
■ Standard—pre-g2-aes128-sha and pre-g2-3des-sha
■ Compatible—pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and
pre-g2-des-md5
■ Basic—pre-g1-des-sha and pre-g1-des-md5
The predefined Phase 2 proposals that JUNOS Software provides are as follows:
■ Standard—g2-esp-3des-sha and g2-esp-aes128-sha
■ Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
Phase 2 Proposals for IPsec VPNs ■ 363
Chapter 16: Internet Protocol Security
■ Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Last but not least, back to the timeouts, you also have a data limit defined for rekey (which is fine) but both sides should match.
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Good luck, but I believe this will put you in the right area!
Matt
0
Matthew BorrussoCommented:
Let me re-phrase my first statement. I would start with looking at the timeout values.. I would not worry about the softkey unless there is some odd timing issue going on past that (NTP usually clears that right up).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ejefferson213Author Commented:
I made the changes you requested but unfortunately, the tunnel is still unreliable.  I'm presently working with the Juniper folks and a consultant in an attempt to fix this problem.  Thank you for taking the time to offer advice and I'll just keep at it........
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.