Re: ASA FW site-to-site vpn setup with Netscreen FW

The ASA is not returning any traffic and Phase 2 has formed correctly.
Verify if the address local to the ASA's network knows how to route back to
ASA.

On Wed, Mar 16, 2011 at 4:42 AM, Ryan West <rwest_at_zyedge.com> wrote:

> I'm a little rusty on netscreen, but it looks like you have your proxies
> matching, but you might be missing a route on the netscreen. Are you doing
> route/tunnel interface mode on your netscreen or policy based? If it's
> route based, what does 'get vpn' and 'get route' show?
>
> You can use 'set ffilters src-ip=' and 'debug flow basic' and 'get db
> stream' to see if it's hitting the crypto engine on the netscreen.
>
> Sent from handheld
>
> On Mar 16, 2011, at 7:11 AM, "Abiola Jewoola" <biola_y2k_at_yahoo.com> wrote:
>
> > Are u doing any NAT stuff on your ASA?
> >
> > --- On Wed, 3/16/11, Mad_Prof <dr3d3m3nt0_at_gmail.com> wrote:
> >
> > From: Mad_Prof <dr3d3m3nt0_at_gmail.com>
> > Subject: Re: ASA FW site-to-site vpn setup with Netscreen FW
> > To: "kawaii mak" <kawaii00mak_at_gmail.com>
> > Cc: "Cisco certification" <ccielab_at_groupstudy.com>
> > Date: Wednesday, March 16, 2011, 2:17 AM
> >
> > Compare the output of these commands :
> >
> > Netscreen
> > get sa
> > get sa id xxx
> >
> >
> > ASA
> > show crypto ipsec sa peer x.x.x.x
> >
> >
> > This should be enough if Phase 2 is formed.
> >
> >
> >
> >
> > On Wed, Mar 16, 2011 at 1:25 AM, kawaii mak <kawaii00mak_at_gmail.com>
> wrote:
> >
> >> Dear Expert,
> >> I have a question about a Cisco FW (ASA5520+ with v8.2(2)) setup to
> connect
> >> a Netscreen SSG20 for Site-to-Site VPN tunnel.
> >> Tunnel negotiation was completed Phase1 & Phase2. Private traffic
> initiated
> >> from ASA side(10.194.x.x) to Netscreen side(192.168.x.x) but seems there
> is
> >> unreachable. And some of message occurs in ASA while packet return back
> >> from
> >> Netscreen side as follow. Is anything wrong in configuration to triggle
> for
> >> these message????
> >> P'se help!!! Thank.
> >>
> >> firewall log
> >> ==============
> >> 4|Mar 15 2011 12:26:53|402116: IPSEC: Received an ESP packet (SPI=
> >> 0x24F592BC, sequence number= 0x1) from 210.x.x.x (user= 210.x.x.x) to
> >> 203.x.x.x. The decapsulated inner packet doesn't match the negotiated
> >> policy in the SA. The packet specifies its destination as 203.x.x.x,
> its
> >> source as 210.x.x.x, and its protocol as 1. The SA specifies its local
> >> proxy as 10.194.x.x/255.255.255.255/0/0 and its remote_proxy as
> >> 192.168.x.x/
> >> 255.255.255.255/0/0.
> >>
> >> Regards,
> >> Kawaii
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > It is said that if you know your enemies and know yourself, you will not
> be
> > imperiled in a hundred battles; if you do not know your enemies but do
> know
> > yourself, you will win one and lose one; if you do not know your enemies
> nor
> > yourself, you will be imperiled in every single battle.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>

-- 
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles; if you do not know your enemies but do know
yourself, you will win one and lose one; if you do not know your enemies nor
yourself, you will be imperiled in every single battle.
Blogs and organic groups at http://www.ccie.net