09-19-2013 06:55 PM - edited 03-11-2019 07:41 PM
Hi All,
Faced some kind of strange problem when setting up VPN tunnle between cisco routers & Juniper ISG firewall.
Problem what we faced is , VPN tunnel came up in phase-1 & phase-2 also and we were able to to icmp & telnet test as well.
however when users came on work they faced frequent disconnection..i mean first webpage used to open & next no....or in other applictions first sessions used to go through but next not..since i was not on battel field i dont know exact logs which showing status in terms of connection.
But when investigated what i found is PFS in Cisco router was disable & where as in Juniper it was enabled at with Group-1.
I feel issue could have happen due to PFS only...can someone please help me to know if that is the reason? (Verfied MSS erros but didnt see those).
Yogesh
09-20-2013 06:17 PM
If you have PFS enabled on one end it has to be also enabled on the other end.
This is additional security for the IPSEC tunnel encryption keys using deffie helman groups, not having this setting matched on both ends will affect the traffic.
Regards,
Tariq
09-20-2013 09:25 PM
Thanks Tariq,
Understood. Later what i undestood is that at Juniper end PFS Group-2 was enabled & cisco router end PFS Group-1 was enabled..Do you think in that case telnet will work & apps dont.
In same setup with another cisco edge router PFS Group-1 was cofigured but looks that override & applications worked perfect. At offshore it was same Juniper & configurations.
Yogesh
09-20-2013 11:57 PM
Thsi could be really because the overhead PFS adds to tge traffic.
Do you have the df bit set or clear ?
Can you disable the PFS and see ?
Is this happen for tcp applications only or even pings ?
To be more sure please provide your configuration.
Can you
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide