Re: ASA FW site-to-site vpn setup with Netscreen FW

I'm a little rusty on netscreen, but it looks like you have your proxies matching, but you might be missing a route on the netscreen. Are you doing route/tunnel interface mode on your netscreen or policy based? If it's route based, what does 'get vpn' and 'get route' show?

You can use 'set ffilters src-ip=' and 'debug flow basic' and 'get db stream' to see if it's hitting the crypto engine on the netscreen.

Sent from handheld

On Mar 16, 2011, at 7:11 AM, "Abiola Jewoola" <biola_y2k_at_yahoo.com> wrote:

> Are u doing any NAT stuff on your ASA?
>
> --- On Wed, 3/16/11, Mad_Prof <dr3d3m3nt0_at_gmail.com> wrote:
>
> From: Mad_Prof <dr3d3m3nt0_at_gmail.com>
> Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
> To: "kawaii mak" <kawaii00mak_at_gmail.com>
> Cc: "Cisco certification" <ccielab_at_groupstudy.com>
> Date: Wednesday, March 16, 2011, 2:17 AM
>
> Compare the output of these commands :
>
> Netscreen
> get sa
> get sa id xxx
>
>
> ASA
> show crypto ipsec sa peer x.x.x.x
>
>
> This should be enough if Phase 2 is formed.
>
>
>
>
> On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com> wrote:
>
>> Dear Expert,
>> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to connect
>> a Netscreen SSG20 for Site-to-Site VPN tunnel.
>> Tunnel negotiation was completed Phase1 & Phase2. Private traffic initiated
>> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there is
>> unreachable. And some of message occurs in ASA while packet return back
>> from
>> Netscreen side as follow. Is anything wrong in configuration to triggle for
>> these message????
>> P'se help!!! Thank.
>>
>> firewall log
>> ==============
>> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
>> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
>> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
>> policy in the SA. The packet specifies its destination as 203.x.x.x, its
>> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
>> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
>> 192.168.x.x/
>> 255.255.255.255/0/0.
>>
>> Regards,
>> Kawaii
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> It is said that if you know your enemies and know yourself, you will not be
> imperiled in a hundred battles; if you do not know your enemies but do know
> yourself, you will win one and lose one; if you do not know your enemies nor
> yourself, you will be imperiled in every single battle.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Mar 16 2011 - 11:42:06 ART