Re: ASA FW site-to-site vpn setup with Netscreen FW

Dear Expert,

The command output for the compare as follow but don't know how to find the
issue.
BTW, seems no hit on pkts encaps counter. P'se help. Thanks.

ASA5520
================
ASAFW/pri/act# show crypto ipsec sa peer 210.x.x.x
peer address: 210.x.x.x
    Crypto map tag: outside_map2, seq num: 1, local addr: 203.x.x.x
      access-list outside_cryptomap extended permit ip host 10.194.0.56 host
192.168.1.100
      local ident (addr/mask/prot/port): (10.194.0.56/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0
)
      current_peer: 210.x.x.x
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: 203.x.x.x, remote crypto endpt.: 210.x.x.x
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: F2095F3A
      current inbound spi : 79A909B7
    inbound esp sas:
      spi: 0x79A909B7 (2041121207)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 85442560, crypto-map: outside_map2
         sa timing: remaining key lifetime (sec): 3459
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00007FFF
    outbound esp sas:
      spi: 0xF2095F3A (4060700474)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 85442560, crypto-map: outside_map2
         sa timing: remaining key lifetime (sec): 3459
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
ASAFW/pri/act#

Netscreen:
================
ssg5-serial-wlan-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID
vsys
00000003< 203.x.x.x 500 esp:3des/sha1 f2095f3a 3571 4095M A/U 2 0
00000003> 203.x.x.x 500 esp:3des/sha1 79a909b7 3571 4095M A/U 3 0
ssg5-serial-wlan-> get sa id 3
index 0, name vpn to now360, peer gateway ip 203.x.x.x. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<2> out:<3> vpngrp:<-1>.
sa_list_nxt:<0xffffffff>.
tunnel id 3, peer id 0, NSRP Local. site-to-site. Local interface is
ethernet0/0 <210.x.x.x>.
  esp, group 2, 3des encryption, sha1 authentication
  autokey, IN active, OUT active
  monitor<1>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x4001a7
  proxy id: local 192.168.1.100/255.255.255.255, remote
10.194.0.56/255.255.255.255, proto 0, port 0
  ike activity timestamp: 11786166
nat-traversal map not available
incoming: SPI f2095f3a, flag 00004000, tunnel info 40000003, pipeline
  life 3600 sec, 3562 remain, 4194303 kb, -1280 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 38
seconds
  next pak sequence number: 0x0
outgoing: SPI 79a909b7, flag 00000000, tunnel info 40000003, pipeline
  life 3600 sec, 3562 remain, 4194303 kb, -1280 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 3
seconds
  next pak sequence number: 0x4
ssg5-serial-wlan->

2011/3/16 Mad_Prof <dr3d3m3nt0_at_gmail.com>

> Compare the output of these commands :
>
> Netscreen
> get sa
> get sa id xxx
>
>
> ASA
> show crypto ipsec sa peer x.x.x.x
>
>
> This should be enough if Phase 2 is formed.
>
>
>
>
> On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com>wrote:
>
>> Dear Expert,
>> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to
>> connect
>> a Netscreen SSG20 for Site-to-Site VPN tunnel.
>> Tunnel negotiation was completed Phase1 & Phase2. Private traffic
>> initiated
>> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there
>> is
>> unreachable. And some of message occurs in ASA while packet return back
>> from
>> Netscreen side as follow. Is anything wrong in configuration to triggle
>> for
>> these message????
>> P'se help!!! Thank.
>>
>> firewall log
>> ==============
>> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
>> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
>> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
>> policy in the SA. The packet specifies its destination as 203.x.x.x, its
>> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
>> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
>> 192.168.x.x/
>> 255.255.255.255/0/0.
>>
>> Regards,
>> Kawaii
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> It is said that if you know your enemies and know yourself, you will not be
> imperiled in a hundred battles; if you do not know your enemies but do know
> yourself, you will win one and lose one; if you do not know your enemies nor
> yourself, you will be imperiled in every single battle.

Blogs and organic groups at http://www.ccie.net
Received on Wed Mar 16 2011 - 17:40:42 ART