Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Netscreen to PIX

Status
Not open for further replies.
sikek

sikek

MIS
Sep 15, 2003
170
US
i wanted to know if anyone seen this problem before?
i have a netscreen with a route base vpn to a Cisco PIX.

the netscreen events log show this error.
2006-09-12 10:54:35 system info 00536 Rejected an IKE packet on untrust from
216.x.x.x:500 to 66.x.x.x:500
with cookies e3fc249085575b09 and
322131e403c7141a because there were no
acceptable Phase 1 proposals.

Ok so i check to make sure the Phase 1 match on both sides.


Netscreen----
fw1-> get ike p1-proposal
Id Name Auth Grp ESP-e ESP-a Lifetime
-- ------------------ -------- --- ------ ----- ----------
20 p1 Preshare 2 DES MD5 86400
Total Phase 1 proposals: 21
fw1->

PIX--------
isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

The debug from the netscreen show's this.


## 2006-09-12 10:20:51 : IKE<216.x.x.x> Construct ISAKMP header.
## 2006-09-12 10:20:51 : IKE<216.x.x.x> Msg header built (next payload #11)
## 2006-09-12 10:20:51 : IKE<216.x.x.x> Construct [NOTIF]:(NO-PROPOSAL-CHOSEN)
## 2006-09-12 10:20:51 : IKE<216.x.x.x> P1 message header:
## 2006-09-12 10:20:51 : IKE<0.0.0.0 > ISAKMP msg: len 64, nxp 11[NOTIF], exch
## 2006-09-12 10:20:51 : IKE<216.x.x.x> responder create sa: 216.x.x.x->66.x.x.x
## 2006-09-12 10:20:51 : IKE<216.x.x.x> Phase 1: Responder starts MAIN mode negotiations.
## 2006-09-12 10:20:51 : IKE<216.x.x.x> MM in state OAK_MM_NO_STATE.
## 2006-09-12 10:20:51 : IKE<216.x.x.x> Process [SA]:
## 2006-09-12 10:20:51 : IKE<216.x.x.x> Proposal received: xauthflag 0
## 2006-09-12 10:20:51 : IKE<216.x.x.x> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(2)
## 2006-09-12 10:20:51 : IKE<216.x.x.x> xauth attribute: disabled
## 2006-09-12 10:20:51 : IKE<216.x.x.x> [0] expect: xauthflag 0
## 2006-09-12 10:20:51 : IKE<216.x.x.x> auth(1)<PRESHRD>, encr(1)<DES>, hash(2)<SHA>, group(1)
## 2006-09-12 10:20:51 : IKE<216.x.x.x> xauth attribute: disabled
## 2006-09-12 10:20:51 : IKE<216.x.x.x> Phase 1: Rejected proposals from peer. Negotiations failed.


Thank you for any help.
 
Sort by date Sort by votes
one more debug. fromt the PIX

highland-pix515e-ur# show crypto isakmp sa

Total : 10

Embryonic : 1

dst src state pending created

chicago-peer 216.X.X.X QM_IDLE 0 7

216.X.X.X 72.X.X.X QM_IDLE 0 0

66.X.X.X 216.X.X.X MM_NO_STATE 0 0

 
Upvote 0 Downvote
I'm still at a loss why our PIX is sending two phase 1's ?


## 2006-09-12 10:20:51 : IKE<216.x.x.x> auth(1)<PRESHRD>, encr(1)<DES>, hash(1)<MD5>, group(2)
## 2006-09-12 10:20:51 : IKE<216.x.x.x> xauth attribute: disabled
## 2006-09-12 10:20:51 : IKE<216.x.x.x> [0] expect: xauthflag 0
## 2006-09-12 10:20:51 : IKE<216.x.x.x> auth(1)<PRESHRD>, encr(1)<DES>, hash(2)<SHA>, group(1
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
818
Johnkite
Johnkite
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
266
brownmab53
brownmab53
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
781
nnaarrnn
nnaarrnn
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
214
xwray
xwray

Part and Inventory Search

Sponsor

Back
Top