Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
2
Replies

S2S VPN Between Juniper and Cisco ASA /Tunnel is UP/Ping not Working

chrysostomos1980
Level 5
Level 5

‎05-12-2015 01:13 AM

Hi To all

 

we are trying to establish s2s vpn with juniper and cisco asa

The tunnel is up ( phase 1 and phase 2 are ok ) but the ping is not working

 

Topology:

ISP-->Cisco Router--->ASA-->LAN

 

ISP-->Juniper-->Lan

 

Do you have any idea?

 

Phase 1:

IKE Peer: 217.17.2.168
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 

 

Phase 2:

access-list outside_1_cryptomap extended permit ip 10.21.41.0 255.255.255.0 172.26.3.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.21.41.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.26.3.0/255.255.255.0/0/0)
      current_peer: 217.17.2.168

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 213.207.13.8/0, remote crypto endpt.: 217.17.2.168/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: AB1E5340
      current inbound spi : 675A50E9

    inbound esp sas:
      spi: 0x675A50E9 (1733972201)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 123334656, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3563519/2011)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xAB1E5340 (2870891328)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 123334656, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3563518/2011)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""
Labels:
0 Helpful
2 Replies 2

johnlloyd_13
Level 9
Level 9

‎05-12-2015 01:29 AM

hi,

could you post the ASA and juniper's sanitized configs and equivalent show crypto command output from juniper FW?

 

0 Helpful

chrysostomos1980
Level 5
Level 5
In response to johnlloyd_13

‎05-12-2015 02:29 AM

Hi From cisco asa

 

tunnel-group 217.17.2.168 type ipsec-l2l
tunnel-group 217.17.2.168 general-attributes
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 217.17.2.168 
crypto map outside_map 1 set transform-set S2S_VPN_Bahrain
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes 4194303
crypto map outside_map 1 set nat-t-disable
!
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto ipsec transform-set S2S_VPN_Bahrain esp-aes-256 esp-sha-hmac 
!
access-list outside_1_cryptomap extended permit ip 10.21.41.0 255.255.255.0 172.26.3.0 255.255.255.0 
!
access-list inside_access_in extended permit ip any any 

Please rate all useful posts Regards Chrysostomos ""The Most Successful People Are Those Who Are Good At Plan B""
0 Helpful
Customers Also Viewed These Support Documents