Solved: Re: VPN ASA-Juniper / 1 of 2 SA working

victormanuelsolis · ‎11-29-2023

Hello guys,

I have a question about the vpn, why only works 1 of 2 tunnels configured in 1 vpn? I try to get up the tunnel A and works, but when I try to get up the tunnel B, it doesn't work, then I reset the vpn, but now I try to get up the tunnel B first and it works, however the tunnel A not working, I mean only 1 tunnel works at the same time, from 1 side is a Cisco ASA and the other is Juniper

No problem with the VPN, only for the second tunnel

I attach the config for both ends

victormanuelsolis · ‎12-01-2023

I solved it, the issue was a mismatch on the DH group within the PFS.

Thank you all for your help.

View solution in original post

gajownik · ‎12-01-2023

Run debugs to verify why second IPsec SA fails to establish:

debug menu ikev2 3 1 //it will enable timestamps in the debugs
debug crypto condition peer X.X.X.X
debug crypto ike-common 127
debug crypto ikev2 platform 255
debug crypto ikev2 protocol 255
debug crypto ipsec 255
//initiate traffic and wait some time so the tunnel will try to reestablish
undebug all

MHM Cisco World · ‎12-01-2023

I see only config of one vpn.

MHM

victormanuelsolis · ‎12-01-2023

I solved it, the issue was a mismatch on the DH group within the PFS.

Thank you all for your help.