<Need Help - Cisco ASA 8.4.1 to Juniper SSG-550 6.2.0r1.0VPN Configuration>
Hello All, I have been working for two days trying to get an ASA to setup a VPN tunnel to a SSG-550. I have the VPN tunnel Setup and ready to go on the ASA. I ran a Debug crypto IPSec 200 and crypto ikve1 200. I do the command ping PRIVATE <ip address> and I get in the console Sending 5, 100-byte ICMP Echos to 10.1.4.81, timeout is 2 seconds: IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.20.1.2, sport=29733, daddr=10.1.4.81, dport=29733 IPSEC(crypto_map_check)-5: Checking crypto map CARIBOU-VPN-1 10: skipping incomplete map. No peer, access-list or transform-set specified. IPSEC(crypto_map_check)-1: Error: No crypto map matched.
From my understanding this is caused by the crypto map not being able to establish a tunnel to the Juniper.
On my Juniper configuration I have built the Gateway and set the Phase 1 Proposal to "pre-g2-3des-md5" followed by "pre-g2-3des-sha" For the VPN configuration I use the predefined gateway configuration. Under the advanced button, I use the predefined of "compatible" and the Phase 2 Proposal "nopfs-esp-3des" followed by "nopfs-esp-3des" The proxy id is the local IP / Network block and the remote IP network block is the destination IP block. The only part that has me wondering, because the Juniper has multiple zones, i.e. a DMZ, Trust, and Untrust. Each Zone has its own IP block that is assigned to it. I have entered a policy into one of the zones, i.e. Untrust to Trust, input source block, destination block, specified it is a tunnel, set for bi-directional entry and that should be it. Any help in this as always will be greatly appreciated. Thank you. Thank You, MAR CONFIDENTIALITY NOTICE: This message is intended only for the individual or entity to which it is addressed and may contain information that is confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you have received this communication in error. In such case, please notify us immediately by reply e-mail and immediately delete this message and its attachments. Any use, dissemination, redistribution or reproduction of this communication is strictly prohibited. Unless the message explicitly states otherwise, no e-mail correspondence claims to be a contractual offer or acceptance. LST Financial has instructed its employees not to send libelous or inappropriate statements and disclaims responsibility for such. Subject to applicable law, LST Financial may monitor, review and retain e-communications traveling through its networks/systems. By messaging with LST Financial you consent to the foregoing.
Sending 5, 100-byte ICMP Echos to 10.1.4.81, timeout is 2 seconds: IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.20.1.2, sport=29733, daddr=10.1.4.81, dport=29733 IPSEC(crypto_map_check)-5: Checking crypto map CARIBOU-VPN-1 10: skipping incomplete map. No peer, access-list or transform-set specified. IPSEC(crypto_map_check)-1: Error: No crypto map matched.
From my understanding this is caused by the crypto map not being able to establish a tunnel to the Juniper.
From that log, the Cisco is missing numerous configuration items: No peer, access-list or transform-set specified. Do you have the above specified in the crypto map within the ASA ? Cheers Chris
Yes sir. I called cisci tac and according to the asa team, the tunnel cannot be created because the juniper is not the session to be created due to some missmatches. -------------------------- Sent using BlackBerry ----- Original Message ----- From: Chris Russell [mailto:chris@nifry.com] Sent: Friday, July 08, 2011 06:09 PM To: Michael Ruiz Cc: nanog@nanog.org <nanog@nanog.org> Subject: Re: <Need Help - Cisco ASA 8.4.1 to Juniper SSG-550 6.2.0r1.0VPN Configuration>
Sending 5, 100-byte ICMP Echos to 10.1.4.81, timeout is 2 seconds: IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.20.1.2, sport=29733, daddr=10.1.4.81, dport=29733 IPSEC(crypto_map_check)-5: Checking crypto map CARIBOU-VPN-1 10: skipping incomplete map. No peer, access-list or transform-set specified. IPSEC(crypto_map_check)-1: Error: No crypto map matched.
From my understanding this is caused by the crypto map not being able to establish a tunnel to the Juniper.
From that log, the Cisco is missing numerous configuration items: No peer, access-list or transform-set specified. Do you have the above specified in the crypto map within the ASA ? Cheers Chris CONFIDENTIALITY NOTICE: This message is intended only for the individual or entity to which it is addressed and may contain information that is confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you have received this communication in error. In such case, please notify us immediately by reply e-mail and immediately delete this message and its attachments. Any use, dissemination, redistribution or reproduction of this communication is strictly prohibited. Unless the message explicitly states otherwise, no e-mail correspondence claims to be a contractual offer or acceptance. LST Financial has instructed its employees not to send libelous or inappropriate statements and disclaims responsibility for such. Subject to applicable law, LST Financial may monitor, review and retain e-communications traveling through its networks/systems. By messaging with LST Financial you consent to the foregoing. CONFIDENTIALITY NOTICE: This message is intended only for the individual or entity to which it is addressed and may contain information that is confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you have received this communication in error. In such case, please notify us immediately by reply e-mail and immediately delete this message and its attachments. Any use, dissemination, redistribution or reproduction of this communication is strictly prohibited. Unless the message explicitly states otherwise, no e-mail correspondence claims to be a contractual offer or acceptance. LST Financial has instructed its employees not to send libelous or inappropriate statements and disclaims responsibility for such. Subject to applicable law, LST Financial may monitor, review and retain e-communications traveling through its networks/systems. By messaging with LST Financial you consent to the foregoing.
participants (2)
-
Chris Russell
-
Michael Ruiz