SSG-ASA VPN failing re-initiate every few minutes



  • Hello,

    My SSG-350M has a VPN to a Cisco ASA firewall, the would failed every one or two week, then resume after a few hours without doing anything. When it failed, i notice that the ASA firewall would send DPD R_U_There message to the SSG so I enabled DPD on SSG today when it failed again this morning.

    Right now, user traffic seems be able to access through the VPN. But on the log, I see below message every few mins:


    2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2 msg ID 00967003: Completed negotiations with SPI 86e7acee, tunnel ID 106, and lifetime 3600 seconds/4194303 KB.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Phase 2 msg ID 00967003: Received responder lifetime notification. (0 sec/4608000 KB)
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2 msg ID 8c7aca09: Completed negotiations with SPI 86e7aced, tunnel ID 105, and lifetime 3600 seconds/4194303 KB.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Phase 2 msg ID 8c7aca09: Received responder lifetime notification. (0 sec/4608000 KB)
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
    2017-03-30 14:36:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/216. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:36:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/216. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2 msg ID 5a6c9b62: Completed negotiations with SPI 86e7acec, tunnel ID 104, and lifetime 3600 seconds/4194303 KB.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Phase 2 msg ID 5a6c9b62: Received responder lifetime notification. (0 sec/4608000 KB)
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
    2017-03-30 14:36:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/216. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2: Initiated negotiations.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2: Initiated negotiations.
    2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2: Initiated negotiations.
    2017-03-30 14:36:03 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:36:03 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:36:03 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    ….

    2017-03-30 14:26:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:26:05 info IKE XX.XX.XX.XX Phase 2 msg ID 446da336: Completed negotiations with SPI 86e7aceb, tunnel ID 102, and lifetime 3600 seconds/4194303 KB.
    2017-03-30 14:26:05 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
    2017-03-30 14:26:05 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/104. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
    2017-03-30 14:26:05 info IKE XX.XX.XX.XX Phase 2 msg ID 446da336: Responded to the peer’s first message.
    2017-03-30 14:26:05 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/200. Cookies: 3be3ee1bbdb05515, b08229a40276538b.


    Here’s my SSG configuration:
    set ike gateway “XXXX” address 123.177.20.1 Main outgoing-interface “ethernet0/2” preshare “XsUZ+iaINJuRnaswNyCnEcoUYcnBviC2MPVUrk/fOzngQBF2kTrj/NI=” proposal "pre-g2-3des-sha"
    set ike gateway “XXXX” dpd-liveness interval 5
    set ike gateway “XXXX” dpd-liveness reconnect 60

    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log

    set vpn “XXXX” gateway “XXXX” no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
    set vpn “XXXX” id 0x61 bind interface tunnel.8

    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "APPLE-ICHAT"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
    set vpn “XXXX” proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX “ANY”

    Can anyone help? Thanks!



  • Hi
    IPsec between Juniper and Cisco ASA doesn’t really work fine.
    The problem is the way how the proxy-id’s are negociated between the Juniper and the ASA. The ASA can (as far as I know) only work with one. Therefore is not a problem of the 8SSG because Juniper is pretty standard in IPsec.

    Try to use only one proxy-id per tunnel and check again. If you are using route based VPN check the routings (inbound/outbound).  Don’t forget to open the ruleset on the Juniper!

    Cheers Josh


 

19
Online

38.4k
Users

12.7k
Topics

44.5k
Posts