Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
2
Replies

Site-to-Site VPN failed to form SA

tao.akinbo
Level 1
Level 1

‎10-17-2019 04:09 AM

I have a site to site VPN setup, the tunnel failed to come up when traffic initiated to my ASA. However if traffic initiated to the Juniper Netscreen the tunnel will come up and works as expected.

 

Sometimes if the Juniper end initiate connection the tunnel comes up with no traffic  being encrypt and decrypt.

 

I have notice this error when configuring crypto map - 

[IKEv1]Ignoring msg to mark SA with specified coordinates <outside_map, 1> dead

 

Also when debug is on I get this -

IPSEC INFO: Setting an IPSec timer of type Bad CTM Timer Type for 3600 seconds with a jitter value of 0

 

I have checked everywhere to understand what these means with no success.

 

Any help will be appreciated.

 

 

Labels:
0 Helpful
2 Replies 2

Deepak Kumar
VIP Alumni
VIP Alumni

‎10-17-2019 04:52 AM

Hi,

Can you check Phase1 and Phase2 key life/timer at both ends? Try to match at both ends.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

tao.akinbo
Level 1
Level 1
In response to Deepak Kumar

‎10-17-2019 05:08 AM

Thanks Deepak,

 

The lifetimer match on both end.

 

 

Regards

Ta

0 Helpful
Customers Also Viewed These Support Documents