Author Topic: SSG-ASA VPN failing re-initiate every few minutes  (Read 261 times)

pswolfwind

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
SSG-ASA VPN failing re-initiate every few minutes
« on: March 30, 2017, 02:07:20 am »
Hello,

My SSG-350M has a VPN to a Cisco ASA firewall, the would failed every one or two week, then resume after a few hours without doing anything. When it failed, i notice that the ASA firewall would send DPD R_U_There message to the SSG so I enabled DPD on SSG today when it failed again this morning.

Right now, user traffic seems be able to access through the VPN. But on the log, I see below message every few mins:

_____________________________________________________________
2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2 msg ID 00967003: Completed negotiations with SPI 86e7acee, tunnel ID 106, and lifetime 3600 seconds/4194303 KB.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Phase 2 msg ID 00967003: Received responder lifetime notification. (0 sec/4608000 KB)
2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2 msg ID 8c7aca09: Completed negotiations with SPI 86e7aced, tunnel ID 105, and lifetime 3600 seconds/4194303 KB.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Phase 2 msg ID 8c7aca09: Received responder lifetime notification. (0 sec/4608000 KB)
2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
2017-03-30 14:36:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/216. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:36:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/216. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2 msg ID 5a6c9b62: Completed negotiations with SPI 86e7acec, tunnel ID 104, and lifetime 3600 seconds/4194303 KB.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Phase 2 msg ID 5a6c9b62: Received responder lifetime notification. (0 sec/4608000 KB)
2017-03-30 14:36:06 info IKE XX.XX.XX.XX: Received a notification message for DOI 1 24576 RESPONDER-LIFETIME.
2017-03-30 14:36:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/216. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2: Initiated negotiations.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2: Initiated negotiations.
2017-03-30 14:36:06 info IKE XX.XX.XX.XX Phase 2: Initiated negotiations.
2017-03-30 14:36:03 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:36:03 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:36:03 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
....
....
2017-03-30 14:26:06 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/96. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:26:05 info IKE XX.XX.XX.XX Phase 2 msg ID 446da336: Completed negotiations with SPI 86e7aceb, tunnel ID 102, and lifetime 3600 seconds/4194303 KB.
2017-03-30 14:26:05 info IKE XX.XX.XX.XX phase 2:The symmetric crypto key has been generated successfully.
2017-03-30 14:26:05 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/104. Cookies: 3be3ee1bbdb05515, b08229a40276538b.
2017-03-30 14:26:05 info IKE XX.XX.XX.XX Phase 2 msg ID 446da336: Responded to the peer's first message.
2017-03-30 14:26:05 info Received an IKE packet on ethernet0/2 from XX.XX.XX.XX:500 to 172.27.68.2:500/200. Cookies: 3be3ee1bbdb05515, b08229a40276538b.

_____________________________________________________

Here's my SSG configuration:
set ike gateway "XXXX" address 123.177.20.1 Main outgoing-interface "ethernet0/2" preshare "XsUZ+iaINJuRnaswNyCnEcoUYcnBviC2MPVUrk/fOzngQBF2kTrj/NI=" proposal "pre-g2-3des-sha"
set ike gateway "XXXX" dpd-liveness interval 5
set ike gateway "XXXX" dpd-liveness reconnect 60

set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log

set vpn "XXXX" gateway "XXXX" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "XXXX" id 0x61 bind interface tunnel.8

set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "APPLE-ICHAT"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"
set vpn "XXXX" proxy-id local-ip XX.XX.XX.XX remote-ip XX.XX.XX.XX "ANY"


Can anyone help? Thanks!



joshua.tres

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: SSG-ASA VPN failing re-initiate every few minutes
« Reply #1 on: April 15, 2017, 06:56:53 am »
Hi
IPsec between Juniper and Cisco ASA doesn't really work fine.
The problem is the way how the proxy-id's are negociated between the Juniper and the ASA. The ASA can (as far as I know) only work with one. Therefore is not a problem of the 8SSG because Juniper is pretty standard in IPsec.

Try to use only one proxy-id per tunnel and check again. If you are using route based VPN check the routings (inbound/outbound).  Don't forget to open the ruleset on the Juniper!

Cheers Josh