cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
310
Views
2
Helpful
3
Replies

VPN ASA-Juniper / 1 of 2 SA working

Hello guys,

I have a question about the vpn, why only works 1 of 2 tunnels configured in 1 vpn? I try to get up the tunnel A and works, but when I try to get up the tunnel B, it doesn't work, then I reset the vpn, but now I try to get up the tunnel B first and it works, however the tunnel A not working, I mean only 1 tunnel works at the same time, from 1 side is a Cisco ASA and the other is Juniper

No problem with the VPN, only for the second tunnel

 

I attach the config for both ends

1 Accepted Solution

Accepted Solutions

I solved it, the issue was a mismatch on the DH group within the PFS.

 

Thank you all for your help. 

View solution in original post

3 Replies 3

gajownik
Cisco Employee
Cisco Employee

Run debugs to verify why second IPsec SA fails to establish:

debug menu ikev2 3 1 //it will enable timestamps in the debugs
debug crypto condition peer X.X.X.X
debug crypto ike-common 127
debug crypto ikev2 platform 255
debug crypto ikev2 protocol 255
debug crypto ipsec 255
//initiate traffic and wait some time so the tunnel will try to reestablish
undebug all

I see only config of one vpn.

MHM

I solved it, the issue was a mismatch on the DH group within the PFS.

 

Thank you all for your help. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: