Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
676
Views
0
Helpful
0
Comments

The VPN tunnel between ASA 5500 and Netscreen does not come up

TCC_2
Advocate
Advocate

on ‎06-22-2009 04:10 PM

Core issue

These are among the reasons for this issue:

  • Mismatching phase one policies

  • Mismatching crypto Access Control Lists (ACLs)

  • Wrong IP address defined for peer on either devices
     
  • NAT bypass

  • Mismatching pre-share key

  • Perfect Forward Secrecy (PFS) is enabled or disabled on either end

Resolution

To resolve this issue, perform these steps:

  1. Check if phase one comes up or not. If not, match the Internet Security Association and Key Management Control Policies (ISAKMP), pre-share key and IP address for peer.

  2. If phase two does not come up, match the ACLs, and make sure that natting is being bypassed.

  3. If everything matches and the tunnel is still not coming up, determine if PFS is enable or disabled. PFS must be enabled or disabled on both ends.

PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.

Note: PFS is disabled by default on Adaptive Security Appliance (ASA).

For addition information about PFS, refer to the Configuring Perfect Forward Secrecy section of Configuring Group Policies.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Quick Links
Discussions
Customers Also Viewed These Support Documents