#pkts compressed: 0, #pkts decompressed: 0 I'm starting to suspect that the Cisco is expiring the its key at a different time and is not able to start up a new session, but I'm not sure how to fix it yet.Ĭrypto map tag: RAmap, seq num: 50, local addr: Cisco public IPĪccess-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 10.34.0.0 255.255.0.0 Shouldn't the Inbound be the lifetime of the SRX side? On the SRX the cisco lifetime is showing up. the inbound esp sas and outbound esp sas lifetimes are the same. Set the SRX to responder because I can't change the Cisco to responder.Īlso while running show crypto ipsec sa peer x.x.x.x. Removed dead-peer-detection on the SRX side per Juniper.Ĥ. Changed the KB life time on the Ciso from the default value to the max value around 2TB.ģ. Changed the ACL on the cisco side from network-group to network group to individual network to network ACLs.Ģ. Since Juniper has not recommended setting a SA lifetime KB to any value I've just had to set the lifetime sec to match.ġ. I believe this is a limitation of the version I'm running. I did this because I could not remove it from my configuration. To help resolve this I have moved the SA lifetime in KB from the default value to the max value 2TB. The intermittent issue is networks 172.16.20.0/24 and 172.18.5.0/24 will be able to communicate but 172.16.20.0/24 to 10.34.0.0/16 won't and it appears to be related to SA lifetime expiring and not getting a response or rekeying properly. Specifically, we have 4 networks on the ASA side. But between the SRX I am getting intermittent traffic loss between some of the networks allowed between the sites, not all networks. The ASA and Sonicwalls seem to work fine traffic flows without any tunnel issues. This has a site to site VPN tunnel to 4 locations, 1 is another ASA, 2 are Sonicwalls, and 1 is a Juniper SRX. I have a Cisco ASA running 8.2.5 (yes I know its old) that we plan on decommissioning this year but unfortunately, we are a ways away from doing so.
0 Comments
Leave a Reply. |