Showing results for 
Search instead for 
Did you mean: 


Cisco ASAv site-to-site VPN to Symantec Web Security Service (WSS)

Hi all, 


I'm having some serious technical issues with establishing a site-to-site VPN to Symantec's Web Security Service (WSS). Getting technical support to help is also really really painful. After three months of pulling my hair out I finally had a WebEX troubleshooting session, but unfortunately it was unsuccessful and we didn't get anywhere. 


This is my setup 

                                            Customer FW              NAT - Edge FW                                                    

{Multiple DMZ s / LANS}-----(>|) ASA FW ---------- (FGT-FW)-----------(Internet)---------(Symantec WSS)---(Proxy)




The customer firewall is the  ASAv Firewall 

The Fortigate is a perimeter firewall for all customers and NATs the outside interface of the ASA firewall  to a Public IP address and in terms of security policy its wide open (any any). The ASA is more restrictive. 


I followed the following KB from Symantec (or Broadcom as they are currently known as) but with some tweaks. I will explain: 



> Note: in other articles they have variations in config which i had to follow such as 

NAT-T when used, you need to change the IKE ID to the public IP address that the upstreat fw is natting the ASAs outside IP to. I had to do this on the ASA via ASDM, but it can be done on the CLI as 

crypto isakmp identity key-id <Public IP Address> 



I also didn't follow their advise on 'any' local encryption domain and 'any' remote encryption domain - I caused an outage whilst the firewall tried to bring up the tunnel. instead i used the classless RFC 1918 address as my local encryption domain and (ip address used) as the remote, i.e. the symantec proxy ip address. 

I have other VPN tunnels setup on this firewall and even if my local encryption domain was set to 'any' it would have overlapped with the other tunnels - the firewall did grumble at this!


I did NAT exempt for traffic headed for the proxy ip address for http and https. 


I used the same phase 1 and phase 2 settings and whats interesting is that Symantec in Phase 1 tries to negotiate 3DES / SHA DFH grp5.... strange.... The ASA didnt like.. 


I went through the setup with Symantec over the WebEx and they said it looked ok, however they didnt see any errors or messages that would indicate that phase 1 was unsuccessful. At my end though all i ever got when running show crypto ikev1 sa was the message telling me it was waiting for a response from symantec:


State : MM_WAIT_MSG6


Even if i change the phase 1 params to 3des sha DFH group 5 it still doesn't come up. 


Its not successfully negotiating phase 1


Anyone else experiencing this issue and the lack of support from Symantec?


Re: Cisco ASAv site-to-site VPN to Symantec Web Security Service (WSS)

Were you able to get this issue resolved in the end? Would appreciate any potential guidance you could offer.