cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2155
Views
0
Helpful
3
Replies

Phase-2 PFS Problem

Hi All,

Faced some kind of strange problem when setting up VPN tunnle between cisco routers & Juniper ISG firewall.

Problem what we faced is , VPN tunnel came up in phase-1 & phase-2 also and we were able to to icmp & telnet test as well.

however when users came on work they faced frequent disconnection..i mean first webpage used to open & next no....or in other applictions first sessions used to go through but next not..since i was not on battel field i dont know exact logs which showing status in terms of connection.

But when investigated what i found is PFS in Cisco router was disable & where as in Juniper it was enabled at with Group-1.

I feel issue could have happen due to PFS only...can someone please help me to know if that is the reason? (Verfied MSS erros but didnt see those).

Yogesh

3 Replies 3

Tariq Bader
Cisco Employee
Cisco Employee

If you have PFS enabled on one end it has to be also enabled on the other end.

This is additional security for the IPSEC tunnel encryption keys using deffie helman groups, not having this setting matched on both ends will affect the traffic.

Regards,

Tariq

Thanks Tariq,

Understood. Later what i undestood is that at Juniper end PFS Group-2 was enabled & cisco router end  PFS Group-1 was enabled..Do you think in that case telnet will work & apps dont.

In same setup with another cisco edge router PFS Group-1 was cofigured but looks that override & applications worked perfect. At offshore it was same Juniper & configurations.

Yogesh

Tariq Bader
Cisco Employee
Cisco Employee

Thsi could be really because the overhead PFS adds to tge traffic.

Do you have the df bit set or clear ?

Can you disable the PFS and see ?

Is this happen for tcp applications only or even pings ?

To be more sure please provide your configuration.

Can you


Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: