gbarnes0990
asked on
VPN between Juniper ssg140 (Static IP) to ASA 5500 (Dynamic IP)
Hello,
I am trying to setup a VPN between an ASA in our Boston office and a Juniper SSG in our New York office. The NYC office has a number of VPN already setup to other ASA's and Junipers but I cannot get this one working. The Boston end isn't managed by us but they have raised a TAC case and I am told the problem is my end. The ASA has a dynamic IP and they are using the Peer ID "BostonASA".
I have googled this problem for about a week now and cannot get it working. At first I was told I needed to get Phase 1 and Phase 2 setup and then put the IKE v1 into aggressive mode. This didn't work, I was then told to use NAT Traversal and put Phase 1 in Main mode this still doesn't work.
When I have rekey set I see the Tunnel as DOWN when I turn rekey off theTunnel goes to "READY" but thats about as best I can get it. Does anyone have any ideas as I am now stuck.
Thanks,
Glenn
I am trying to setup a VPN between an ASA in our Boston office and a Juniper SSG in our New York office. The NYC office has a number of VPN already setup to other ASA's and Junipers but I cannot get this one working. The Boston end isn't managed by us but they have raised a TAC case and I am told the problem is my end. The ASA has a dynamic IP and they are using the Peer ID "BostonASA".
I have googled this problem for about a week now and cannot get it working. At first I was told I needed to get Phase 1 and Phase 2 setup and then put the IKE v1 into aggressive mode. This didn't work, I was then told to use NAT Traversal and put Phase 1 in Main mode this still doesn't work.
When I have rekey set I see the Tunnel as DOWN when I turn rekey off theTunnel goes to "READY" but thats about as best I can get it. Does anyone have any ideas as I am now stuck.
Thanks,
Glenn
ASKER
Sanga thanks for replying. The ASA is behind a Comcast Business Router so it is using a dynamic IP So I was told the Peer ID was "BostonASA". Everytime I set the Rekey on the Tunnel goes into DOWN. The life time interval on the Cisco is 86400, I read somewhere that I had to set the Juniper to 28800 to match this which I have.
I have entries in the Proxy ID already they are all my subnets going to their subnet, but I will double check what they have in their ACL.
Thanks,
I have entries in the Proxy ID already they are all my subnets going to their subnet, but I will double check what they have in their ACL.
Thanks,
The ACL is usually where I have the most trouble. Especially when the Cisco is not under my control.
ASKER
I finally got their ACL config and access to their Firewall but even after going through this and amending the SSG I still cannot get the Tunnel up
object-group network LOCAL-NETWORK
network-object 10.1.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.120.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.134.0 255.255.254.0
network-object 192.168.140.0 255.255.255.0
network-object 192.168.150.0 255.255.255.0
network-object 192.168.160.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object-group LOCAL-NETWORK object-group DM_INLINE_NETWORK_2
nat (inside,outside) source static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
crypto map VPNMAP 2 match address outside_cryptomap_1
crypto map VPNMAP 2 set ikev1 phase1-mode aggressive
crypto map VPNMAP 2 set peer 38.88.182.218
crypto map VPNMAP 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP interface outside
crypto ca trustpool policy
crypto isakmp identity key-id BostonASA
crypto isakmp nat-traversal 30
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 38.88.182.218 type ipsec-l2l
tunnel-group 38.88.182.218 general-attributes
default-group-policy Site2Site
tunnel-group 38.88.182.218 ipsec-attributes
ikev1 pre-shared-key *****
object-group network LOCAL-NETWORK
network-object 10.1.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.120.0 255.255.255.0
network-object 192.168.130.0 255.255.255.0
network-object 192.168.134.0 255.255.254.0
network-object 192.168.140.0 255.255.255.0
network-object 192.168.150.0 255.255.255.0
network-object 192.168.160.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object-group LOCAL-NETWORK object-group DM_INLINE_NETWORK_2
nat (inside,outside) source static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
crypto map VPNMAP 2 match address outside_cryptomap_1
crypto map VPNMAP 2 set ikev1 phase1-mode aggressive
crypto map VPNMAP 2 set peer 38.88.182.218
crypto map VPNMAP 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP interface outside
crypto ca trustpool policy
crypto isakmp identity key-id BostonASA
crypto isakmp nat-traversal 30
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 38.88.182.218 type ipsec-l2l
tunnel-group 38.88.182.218 general-attributes
default-group-policy Site2Site
tunnel-group 38.88.182.218 ipsec-attributes
ikev1 pre-shared-key *****
What are the error messages in the Logs on the Juniper side when you try to connect via the VPN tunnel? I can trouble shoot the Juniper side much better than the Cisco config/setup
ASKER
Ok I have run a debug on the Juniper. I am coming from source address 192.168.120.200 and trying to RDP to 10.1.2.11 the Tunnel it should be using is Tunnel.12
NYCFW1(M)-> debug flow basic
NYCFW1(M)-> get db stream
****** 11753522.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15651(3d23), @1d67b914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29315, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43100) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43100
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753527.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15652(3d24), @1d628114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29314, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47587) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47587
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753532.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15653(3d25), @1d6b1914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29313, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43480) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43480
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753537.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15654(3d26), @1d6e6114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29312, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43630) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43630
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753540.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15655(3d27), @1d6b9914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 3389, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 27-41c73f4.
Session (id:45633) created for first pak 27
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 45633
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63627)->10
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.128.226.30
matched tunnel-id <0x00000000>
****** 11753542.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15656(3d28), @1d633114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29311, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47664) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47664
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753543.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15657(3d29), @1d6aa914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 45633
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63627)->10
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753547.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15658(3d2a), @1d6cf114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29310, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43915) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43915
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753549.0: <Trust/ethernet0/0> packet received [48]******
ipid = 15659(3d2b), @1d61b114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 45633
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63627)->10
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753552.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15660(3d2c), @1d697114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29309, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47740) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47740
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753557.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15661(3d2d), @1d67f114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29308, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:44877) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 44877
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.128.226.30
matched tunnel-id <0x00000000>
****** 11753562.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15662(3d2e), @1d65a114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29307, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47299) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47299
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
NYCFW1(M)->
NYCFW1(M)-> debug flow basic
NYCFW1(M)-> get db stream
****** 11753522.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15651(3d23), @1d67b914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29315, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43100) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43100
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753527.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15652(3d24), @1d628114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29314, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47587) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47587
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753532.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15653(3d25), @1d6b1914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29313, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43480) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43480
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753537.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15654(3d26), @1d6e6114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29312, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43630) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43630
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753540.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15655(3d27), @1d6b9914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 3389, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 27-41c73f4.
Session (id:45633) created for first pak 27
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 45633
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63627)->10
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.128.226.30
matched tunnel-id <0x00000000>
****** 11753542.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15656(3d28), @1d633114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29311, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47664) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47664
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753543.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15657(3d29), @1d6aa914
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 45633
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63627)->10
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753547.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15658(3d2a), @1d6cf114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29310, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:43915) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 43915
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753549.0: <Trust/ethernet0/0> packet received [48]******
ipid = 15659(3d2b), @1d61b114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 45633
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63627)->10
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753552.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15660(3d2c), @1d697114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29309, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47740) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47740
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
****** 11753557.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15661(3d2d), @1d67f114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29308, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:44877) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 0 for 192.168.120.200
add route 1 for 192.168.120.200 to route cache table
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000000000000 for 192.168.120.200
add arp entry with MAC 000c2994a807 for 192.168.120.200 to cache table
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 44877
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.128.226.30
matched tunnel-id <0x00000000>
****** 11753562.0: <Trust/ethernet0/0> packet received [60]******
ipid = 15662(3d2e), @1d65a114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 136 for 10.1.2.11
[ Dest] 136.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 29307, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 94/11/0x9
Permitted by policy 94
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000ae>
matched tunnel-id <0x000000ae>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 25-c76f00c.
Session (id:47299) created for first pak 25
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 47299
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x25, vector addr 0xc76f00c, orig vector 0xc76f00c
vsd 0 is active
post addr xlation: 192.168.120.200->10.1.2.11
interface ethernet0/0 is in admin down status, packet will be dropped.
NYCFW1(M)->
ASKER
Ignore that debug, someone in the team has taken the tunnel down. I will redo the debug.
ASKER
Here is the new debug with the Tunnel in READY. On the VPN Monitor it does say inactive\Inactive and the error in the debug below says packet dropped SA Inactive
NYCFW1(M)-> get db stream
****** 11755413.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15846(3de6), @1d652114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 0 for 10.1.2.11
add route 137 for 10.1.2.11 to route cache table
[ Dest] 137.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 3389, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 120/76/0x9
Permitted by policy 120
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000af>
matched tunnel-id <0x000000af>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 27-41c73f4.
Session (id:44318) created for first pak 27
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
input pak_ptr = 2805fe0, pmtu 1500
use pmtu 1500
ipsec overhead: sap->crypto_ctx.iEspHdrLen
IPv4 ESP fixed overhead 48
cryptic_data_max_len before round down = pmtu - fxed overhead = 1500 - 48 = 1452
cryptic_data_max_len after round down = 1448
mtu after substracting 2-byte trailer = 1446
total vpn overhead 54
flow got session.
flow session id 44318
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63949)->10
post addr xlation: 192.168.120.200->10.1.2.11
skipping pre-frag
going into tunnel 400000af.
flow_encrypt: pipeline.
enqueue to IKE: timems -1130608974, Q 1, saidx 41: spi:0 done!
packet dropped, SA inactive
NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.128.226.30
matched tunnel-id <0x00000000>
****** 11755416.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15847(3de7), @1d694114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 44318
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63949)->10
post addr xlation: 192.168.120.200->10.1.2.11
skipping pre-frag
going into tunnel 400000af.
flow_encrypt: pipeline.
enqueue to IKE: timems -1130605972, Q 1, saidx 41: spi:0 too soon
packet dropped, SA inactive
****** 11755422.0: <Trust/ethernet0/0> packet received [48]******
ipid = 15848(3de8), @1d668114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 44318
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63949)->10
post addr xlation: 192.168.120.200->10.1.2.11
skipping pre-frag
going into tunnel 400000af.
flow_encrypt: pipeline.
enqueue to IKE: timems -1130599960, Q 1, saidx 41: spi:0 too soon
packet dropped, SA inactive
NYCFW1(M)->
NYCFW1(M)-> get db stream
****** 11755413.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15846(3de6), @1d652114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
chose interface ethernet0/0 as incoming nat if.
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.120.200->10.1.2.11
cached route 0 for 10.1.2.11
add route 137 for 10.1.2.11 to route cache table
[ Dest] 137.route 10.1.2.11->10.1.2.11, to tunnel.12
routed (x_dst_ip 10.1.2.11) from ethernet0/0 (ethernet0/0 in 0) to tunnel.12
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.1.2.11, port 3389, proto 6)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 120/76/0x9
Permitted by policy 120
No src xlate NHTB entry search not found: vpn none tif tunnel.12 nexthop 10.1.2.11
matched proxy-id <192.168.120.0/24, 10.1.2.0/24, 0, 0> with tunnel-id <0x000000af>
matched tunnel-id <0x000000af>
choose interface tunnel.12 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp tunnel.12
vsd 0 is active
no loop on ifp tunnel.12.
session application type 0, name None, nas_id 0, timeout 1800sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/0>, out <tunnel.12>
existing vector list 27-41c73f4.
Session (id:44318) created for first pak 27
flow_first_install_session
handle cleartext reverse route
search route to (tunnel.12, 10.1.2.11->192.168.120.200
cached route 1 for 192.168.120.200
[ Dest] 1.route 192.168.120.200->192.168.1
route to 192.168.120.200
cached arp entry with MAC 000c2994a807 for 192.168.120.200
arp entry found for 192.168.120.200
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800801, tunnel ffffffff, rc 1
input pak_ptr = 2805fe0, pmtu 1500
use pmtu 1500
ipsec overhead: sap->crypto_ctx.iEspHdrLen
IPv4 ESP fixed overhead 48
cryptic_data_max_len before round down = pmtu - fxed overhead = 1500 - 48 = 1452
cryptic_data_max_len after round down = 1448
mtu after substracting 2-byte trailer = 1446
total vpn overhead 54
flow got session.
flow session id 44318
flow_main_body_vector in ifp ethernet0/0 out ifp tunnel.12
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63949)->10
post addr xlation: 192.168.120.200->10.1.2.11
skipping pre-frag
going into tunnel 400000af.
flow_encrypt: pipeline.
enqueue to IKE: timems -1130608974, Q 1, saidx 41: spi:0 done!
packet dropped, SA inactive
NHTB entry search not found: vpn none tif tunnel.1 nexthop 10.128.226.30
matched tunnel-id <0x00000000>
****** 11755416.0: <Trust/ethernet0/0> packet received [52]******
ipid = 15847(3de7), @1d694114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 44318
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63949)->10
post addr xlation: 192.168.120.200->10.1.2.11
skipping pre-frag
going into tunnel 400000af.
flow_encrypt: pipeline.
enqueue to IKE: timems -1130605972, Q 1, saidx 41: spi:0 too soon
packet dropped, SA inactive
****** 11755422.0: <Trust/ethernet0/0> packet received [48]******
ipid = 15848(3de8), @1d668114
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:192.168.120.20
existing session found. sess token 3
flow got session.
flow session id 44318
flow_main_body_vector in ifp ethernet0/0 out ifp N/A
flow vector index 0x27, vector addr 0x41c73f4, orig vector 0x41c73f4
vsd 0 is active
adjust bi-directional vpn tcp mss.
Got syn, 192.168.120.200(63949)->10
post addr xlation: 192.168.120.200->10.1.2.11
skipping pre-frag
going into tunnel 400000af.
flow_encrypt: pipeline.
enqueue to IKE: timems -1130599960, Q 1, saidx 41: spi:0 too soon
packet dropped, SA inactive
NYCFW1(M)->
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I still see inactive / inactive after making the changes. I also switched from aggressive to main I know the other side is on aggressive as well
phase1.png
phase2.png
gateway.png
phase1.png
phase2.png
gateway.png
ASKER
Here is the debug, i was massive so I have put it in a txt file.
Firewall-debug.txt
Firewall-debug.txt
ASKER
Ahh!
Pic1.png: remote site has dynamic IP address. You will need to know if this is a public IP address or private. Without this information you will not be able to proceed correctly.
gateway.png: If the remote site is using aggressive, then you should also have aggressive mode checked. For nat traversal (if remote site has private IP address) you should enable UDP checksum with 5 sec keepalive frequency.
Pic1.png: remote site has dynamic IP address. You will need to know if this is a public IP address or private. Without this information you will not be able to proceed correctly.
gateway.png: If the remote site is using aggressive, then you should also have aggressive mode checked. For nat traversal (if remote site has private IP address) you should enable UDP checksum with 5 sec keepalive frequency.
ASKER
Sanga,
This is getting confusing as I was told there is no IP and because it is dynamic I should use "BostonASA" as the Peer ID instead of an IP address.
The way their network is set up is:-
Local LAN 10.1.2.x /24 plugged into firewall
Cisco ASA firewall 10.1.2.1
Plugged into a Comcast router inside 10.1.10.1
Outside 50.199.233.118/30
I have tried removing "BostonASA" and replacing with 10.1.2.1 and also 50.199.233.118 but still have the same problem. Mode has also been switched to "Aggressive".
Cheers,
This is getting confusing as I was told there is no IP and because it is dynamic I should use "BostonASA" as the Peer ID instead of an IP address.
The way their network is set up is:-
Local LAN 10.1.2.x /24 plugged into firewall
Cisco ASA firewall 10.1.2.1
Plugged into a Comcast router inside 10.1.10.1
Outside 50.199.233.118/30
I have tried removing "BostonASA" and replacing with 10.1.2.1 and also 50.199.233.118 but still have the same problem. Mode has also been switched to "Aggressive".
Cheers,
I understand it can be confusing, but knowing the remote side setup is critical to make a VPN work.
Since their Cisco is connected to Comcast and using a private IP then you will have to use NAT traversal with UDP checksum and keep alive frequency set to 5.
Once this part is setup, before going to configure phase2. You should test to see if the remote site is indeed attempting to create the phase1 connection. Have someone attempt to ping an IP on the Juniper side and then check the logs on the Juniper webUI (forget about the debug logs, they are overkill for what you need)
You will see messages related to the remote site attempting to complete the phase1 negotiation. You will either see errors about phase1 not matching or Success message saying phase1 complete attempting phase2.
success = info IKE x.x.x.x Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
error = information Rejected an IKE packet on ethernet0/9 from x.x.x.x:1011 to y.y.y.y:500 with cookies e7301a51fe46072f and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway
Since their Cisco is connected to Comcast and using a private IP then you will have to use NAT traversal with UDP checksum and keep alive frequency set to 5.
Once this part is setup, before going to configure phase2. You should test to see if the remote site is indeed attempting to create the phase1 connection. Have someone attempt to ping an IP on the Juniper side and then check the logs on the Juniper webUI (forget about the debug logs, they are overkill for what you need)
You will see messages related to the remote site attempting to complete the phase1 negotiation. You will either see errors about phase1 not matching or Success message saying phase1 complete attempting phase2.
success = info IKE x.x.x.x Phase 1: Completed Aggressive mode negotiations with a 28800-second lifetime.
error = information Rejected an IKE packet on ethernet0/9 from x.x.x.x:1011 to y.y.y.y:500 with cookies e7301a51fe46072f and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway
ASKER
I now have access to the Cisco ASA but haven't a clue how to configure it but I just ran a ping to the Juniper Firewall.
In the Juniper Firewall Events I see:-
Rejected an IKE packet on ethernet0/9 from 50.199.233.118:500 to 38.88.182.218:500 with cookies b2d1ad33e01756dd and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
In the Juniper Firewall Events I see:-
Rejected an IKE packet on ethernet0/9 from 50.199.233.118:500 to 38.88.182.218:500 with cookies b2d1ad33e01756dd and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.
Ok So we have a mismatch in the phase one setup on the cisco and the Juniper. I no longer have ciscoASA deployed in my environment so I can not give you the direct steps to configure, but the link below should give you something to compare with what you have and adjust accordingly
https://blog.webernetz.net/2014/01/28/ipsec-site-to-site-vpn-juniper-screenos-cisco-asa/
Please note. The phase 1 setup on both devices must be an exact match or you will always get the 'unrecognized gateway" error message.
https://blog.webernetz.net/2014/01/28/ipsec-site-to-site-vpn-juniper-screenos-cisco-asa/
Please note. The phase 1 setup on both devices must be an exact match or you will always get the 'unrecognized gateway" error message.
ASKER
Doesn't matter what I set it fails on Phase 1 everytime from what I can tell both sides are using Group 2 and 3des sha
Could it be a missmatch on the preshared key?
Could it be a missmatch on the preshared key?
Yes, Pre-shared key needs to be the same on both sides. The key is part of how the devices identify each other
The security proposal should be the same as well. In the earlier pic I attached I used built in proposal "pre-g2-3des-md5" for both Juniper side and ASA phase1 instead of custom made proposals.
The security proposal should be the same as well. In the earlier pic I attached I used built in proposal "pre-g2-3des-md5" for both Juniper side and ASA phase1 instead of custom made proposals.
ASKER
I have tried pre-g2-3des-sha on both Phase1 and Phase 2 as well with no joy.
At the moment it looks like we will be shipping an SSG20 to site as I believe this can take control of the IP on the comcast and we can setup a VPN easier that way.
At the moment it looks like we will be shipping an SSG20 to site as I believe this can take control of the IP on the comcast and we can setup a VPN easier that way.
If that is an option available to you, then I highly recommend it. I can not say for sure, but my belief is the Cisco device sitting behind the comcast modem is where the problems are coming from.
I have an ssg at home behind a comcast modem and I am able to setup my VPN to my corp office using Agressive mode, NaT-traversal and dynamic IP address with no issues.
I have an ssg at home behind a comcast modem and I am able to setup my VPN to my corp office using Agressive mode, NaT-traversal and dynamic IP address with no issues.
ASKER
After spending 3 hours with a Juniper engineer we got to the stage where Phase 1 was nearly completing but had a payload error 11. When we checked on this we found that the Juniper doesn't support a "Key ID" which is how the ASA is presenting itself. Unfortunately we cannot setup a VPN I am told. Our alternative at this moment is to ship one of our old Junipers to Boston and setup a VPN with that instead.
ASKER
The problem isn't fixed due to incompatibility but Sanga provided great help and what he has supplied will probably help someone else out that isn't facing the same exact problem I had but will work for ASA / Juniper VPN connections.
P1
- If the Boston Side is Dynamic, you will need to use aggressive mode on both sides.
- You do not need to use NAT traversal unless The Boston ASA is behind another router (IE it is getting a private IP on its WAN).
P2
- You will need VPN monitor and rekey enabled.
- Here is the kicker. Cisco devices almost always have ACL setup with their VPN so you will need to setup your Proxy ID's in the AutoKey IKE section to match what is in the ACL.
The VPN SA Status should go from ready to Active