Problems: VPNs whit Netscreen 500

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Problems: VPNs whit Netscreen 500

Panfilo

07-14-2004

Re: Problems: VPNs whit Netscreen 500

07-14-2004

Posted by Panfilo on July 14, 2004, 8:21 am

If you were Registered and logged in, you could reply and use other advanced thread options

Hi all,
I administer a Netscreen 500 (firmware 5.0.0r4.0) and I have some
problems with VPN-IPSEC instauration between the apppliance and my
Netscreen-Remote-Client. Phase 1 instauration VPN often hasn't success
and int the logs of my client I read that:
......
......
7-14: 14:54:32.570 My Connections\LAN - Initiating IKE Phase 1 (IP
ADDR=xxx.xx.xx.x)
7-14: 14:54:33.942 My Connections\LAN - SENDING>>>> ISAKMP OAK AG
(SA, KE, NON, ID, VID 5x)
7-14: 14:54:48.984 My Connections\LAN - message not received!
Retransmitting!
7-14: 14:54:48.984 My Connections\LAN - SENDING>>>> ISAKMP OAK AG
(Retransmission)
7-14: 14:55:04.006 My Connections\LAN - message not received!
Retransmitting!
7-14: 14:55:04.006 My Connections\LAN - SENDING>>>> ISAKMP OAK AG
(Retransmission)
7-14: 14:55:19.087 My Connections\LAN - message not received!
Retransmitting!
7-14: 14:55:19.087 My Connections\LAN - SENDING>>>> ISAKMP OAK AG
(Retransmission)
7-14: 14:55:34.109 My Connections\LAN - Exceeded 3 IKE SA negotiation
attempts
.....
.....
while the log file of Netscreen saids:
.
..
Jul 14 09:22:24 10.10.0.2 ns500-A: NetScreen device_id=ns500-A
[Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Responder
starts AGGRESSIVE mode negotiations. (2004-07-14 09:19:52)
.
..
Jul 14 09:22:39 10.10.0.2 ns500-A: NetScreen device_id=ns500-A
[Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Responder
starts AGGRESSIVE mode negotiations. (2004-07-14 09:20:08)
.
..
Jul 14 09:23:22 10.10.0.2 ns500-A: NetScreen device_id=ns500-A
[Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Aborted
negotiations because the time limit has elapsed. (11180f/5)
(2004-07-14 09:20:51)
.
..
Jul 14 09:23:42 10.10.0.2 ns500-A: NetScreen device_id=ns500-A
[Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Aborted
negotiations because the time limit has elapsed. (110f/5) (2004-07-14
09:21:11)
.
..
Now, if I reboot my firewall, all works properly.
I read this is the only solution for this bug....It's true?
It's very boring and inconvenient if the only soution is the restart
of device.
If anyone has an explanation and/or a solution for this problem I will
thank him: it's urgent.

Best wishes

Posted by SA on July 14, 2004, 4:07 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Try to clear all of your SA's and see if that works. I would also try a
manual tunnel instead of an autoIKE to see if that may correct your issue.

-Scott

Panfilo wrote:

> Hi all,

> I administer a Netscreen 500 (firmware 5.0.0r4.0) and I have some

> problems with VPN-IPSEC instauration between the apppliance and my

> Netscreen-Remote-Client. Phase 1 instauration VPN often hasn't success

> and int the logs of my client I read that:

> .....

> 7-14: 14:54:32.570 My Connections\LAN - Initiating IKE Phase 1 (IP

> ADDR=xxx.xx.xx.x)

> 7-14: 14:54:33.942 My Connections\LAN - SENDING>>>> ISAKMP OAK AG

> (SA, KE, NON, ID, VID 5x)

> 7-14: 14:54:48.984 My Connections\LAN - message not received!

> Retransmitting!

> 7-14: 14:54:48.984 My Connections\LAN - SENDING>>>> ISAKMP OAK AG

> (Retransmission)

> 7-14: 14:55:04.006 My Connections\LAN - message not received!

> Retransmitting!

> 7-14: 14:55:04.006 My Connections\LAN - SENDING>>>> ISAKMP OAK AG

> (Retransmission)

> 7-14: 14:55:19.087 My Connections\LAN - message not received!

> Retransmitting!

> 7-14: 14:55:19.087 My Connections\LAN - SENDING>>>> ISAKMP OAK AG

> (Retransmission)

> 7-14: 14:55:34.109 My Connections\LAN - Exceeded 3 IKE SA negotiation

> attempts

> ....

> while the log file of Netscreen saids:

> .

> Jul 14 09:22:24 10.10.0.2 ns500-A: NetScreen device_id=ns500-A

> [Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Responder

> starts AGGRESSIVE mode negotiations. (2004-07-14 09:19:52)

> .

> Jul 14 09:22:39 10.10.0.2 ns500-A: NetScreen device_id=ns500-A

> [Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Responder

> starts AGGRESSIVE mode negotiations. (2004-07-14 09:20:08)

> .

> Jul 14 09:23:22 10.10.0.2 ns500-A: NetScreen device_id=ns500-A

> [Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Aborted

> negotiations because the time limit has elapsed. (11180f/5)

> (2004-07-14 09:20:51)

> .

> Jul 14 09:23:42 10.10.0.2 ns500-A: NetScreen device_id=ns500-A

> [Root]system-information-00536: IKE<xxx.xx.xx.x> Phase 1: Aborted

> negotiations because the time limit has elapsed. (110f/5) (2004-07-14

> 09:21:11)

> .

> Now, if I reboot my firewall, all works properly.

> I read this is the only solution for this bug....It's true?

> It's very boring and inconvenient if the only soution is the restart

> of device.

> If anyone has an explanation and/or a solution for this problem I will

> thank him: it's urgent.

> Best wishes

Similar Threads	Posted
netscreen 5gt for 3 offices and vpns	July 23, 2004, 2:51 am
Netscreen 50 - Dialup VPNs - more than one destination subnet	October 2, 2006, 1:55 pm
VPN problems from Linksys WAG54G to Netscreen 208 using netscreen client	November 28, 2005, 5:36 pm
Juniper Netscreen Home/Logoff problems with Web Applications	February 8, 2008, 7:27 am
Options on Firewall,VPNs, IDS	November 3, 2005, 3:45 pm
VPNs Down After Swapping one Sonicwall for Another	March 24, 2006, 12:13 pm
Multiple VPNs Using SuSEfirewall2	September 14, 2006, 9:19 am
Multiple VPNs with SuSEfirewall2	September 15, 2006, 9:53 am
NAT problems with PIX 501	October 5, 2006, 3:56 am
NG Server problems	November 24, 2004, 7:43 pm

The site map in XML format XML site map