09-22-2015 02:32 AM - edited 03-05-2019 02:21 AM
Hello guys
I establish a VPN site-to-site connection between Cisco 877 and juniper firewall srx240h2 using these hashs and encryptions
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key testsharedkey address 83.xxx.xxx.xxx
crypto ipsec transform-set bilset esp-aes 256 esp-sha-hmac
crypto map RAM_TO_NET 10 ipsec-isakmp
set peer 83.xxx.xxx.xxx
set transform-set bilset
match address VPN_TRAFFIC
under dialer 1
crypto map RAM_TO_NET
ip access-list extended VPN_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 remark NAT
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
well everything went just fine and the tunnel is up and active ,then i tried to ping a host from the remote site and it wont ping it just give request timed out so i went to the Cisco Configuration Professional and when i tested the tunnel it gives me
Failure Reason(s)
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.
Recommended Action(s)
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
well i issued the crypto ipsec df-bit clear under the dialer 1 but it didn't work
so help me guys what i'm suppose to do?
Solved! Go to Solution.
09-22-2015 07:15 AM
09-22-2015 06:21 AM
Hi Addey,
If the tunnel is up but the traffic won't flow I would double check the "NONAT" configuration on both ends.
Best Regards,
09-22-2015 06:51 AM
Thank you for you reply ,but i tried the NONAT but it's still not working :\
route-map nonat permit 10
match ip address 100
ip nat inside source route-map nonat interface Dialer1 overload
09-22-2015 06:57 AM
you beat me to it, hopefully you see this
09-22-2015 07:15 AM
Set both sides to 1300 MTU and see if that helps.
Mike
09-23-2015 01:04 AM
that is a strange MTU size, do you have cisco vpn client installed I know this can alter default mtu settings on host devices
09-22-2015 07:12 AM
Hi Addey,
Could you please advise why you added the deny on the ACL?
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
The only ACL you need for the traffic you want to send over the Tunnel is the crypto ACL, in this case the VPN_TRAFFIC which defines your interesting traffic and which basically tells your router to "NONAT" that traffic and you should have a mirror of that ACL on your other end but changing the order of source-->destination of course.
09-22-2015 06:55 AM
I believe that the default MTU values are different on both devices,
Juniper is 1514 and Cisco is 1500, this could be causing an issue
09-22-2015 07:01 AM
i changed the MTU on the cisco for different values still not working :/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide