VPN between juniper SSG 550 - Cisco 1841

  • After succesfully setting op a route based VPN with on the other side a cisco 1841 device - ping replies were received on both sides of the tunnel  - the VPN suddenly went down.

    I tried rebuilding it by switching the tunnel on and off but it doesn’t seem to get up again.

    the log shows me IKE  <ip>Phase 1: Retransmission limit has been reached.

    Did anyone experience likewise behaviour?

    Many thanks,</ip>

  • Here it goes, apparently the cisco device had some ACL which were blocking!!!
    So the problem has been solved, but actually no change on the juniper side was needed 🙂

  • You cant force the device to be a responder. But, if it receives VPN message1 and given that the VPN is not already established, it will respond.

  • That can be a possibility and I tought of it.
    But how can I set the juniper as responder side?

  • Hi,

    It is not necessary to be able to ping the peer. I suggested it as a test, to confirm there was connectivity between them.
    From the debug, you can see that message 1 sent @ 2012-10-11 11:51:50 does not get a response from Then we are re-sending @  11:51:54. Why not check the logs on Cisco?
    You can also try initiating the VPN from the Cisco end and look at the event logs - debug IKE for more information.

  • Thanks for your reply:

    The remote peer is a fixed IP and when I try to ping it from the juniper device I get a 100% packet loss.

    2012-10-11 11:51:50 : IKE <ip>re-trans timer expired, msg retry (8) (0001/0)

    2012-10-11 11:51:50 : IKE <ip>Initiator sending IPv4 IP 500

    2012-10-11 11:51:50 : IKE <ip>Send Phase 1 packet (len=156)

    2012-10-11 11:51:54 : IKE <ip>re-trans timer expired, msg retry (9) (0001/0)

    2012-10-11 11:51:54 : IKE <ip>Initiator sending IPv4 IP 500

    2012-10-11 11:51:54 : IKE <ip>Send Phase 1 packet (len=156)

    Is it needed to be able to ping the remote peer?
    As the VPN was already up some time ago?</ip></ip></ip></ip></ip></ip>

  • Hi, ‘Retransmission limit has been reached’ usually points to not receiving a response from the peer.

    How have you defined the peer? Is it a static IP or hostname or a dynamic peer? See if you can just ping the Cisco public IP from the juniper FW.

    Also, a ‘debug ike basic’ will help you here.