Re: Replacing a SSG5 with SRX100H2 in branch office

Thanks Steve for your continued efforts!

I have replicated much of the environment in a home lab with a SSG5 running the SSG140 config and the SRX100H2 trying to connect to the SSG. I have 2 Netscreen 5GT's simulating 2 other VPN sites connecting with no issues. In my home lab:

SSG5 Public=1.1.1.1

Dallas SRX Public=1.1.1.5

I have gotten to the point where the SSG continually states:

2016-05-29 11:56:57 system info  00536 Rejected an IKE packet on ethernet0/0 
                                       from 1.1.1.5:500 to 1.1.1.1:500 with 
                                       cookies ff4f91971ecbe61b and 
                                       4a1d3b8d654e7c36 because There was a 
                                       preexisting session from the same 
                                       peer.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5 Phase 2 msg ID b83e8b72: 
                                       Responded to the peer's first message.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5: Received initial contact 
                                       notification and removed Phase 1 SAs.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5 Phase 1: Completed Main 
                                       mode negotiations with a 28800-second 
                                       lifetime.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5: Received initial contact 
                                       notification and removed Phase 2 SAs.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5: Received a notification 
                                       message for DOI 1 24578 
                                       INITIAL-CONTACT.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5 phase 1:The symmetric 
                                       crypto key has been generated 
                                       successfully.
2016-05-29 11:56:57 system info  00536 IKE 1.1.1.5 Phase 1: Responder starts 
                                       MAIN mode negotiations.
2016-05-29 11:56:32 system info  00536 IKE 1.1.1.5 Phase 2: Initiated 
                                       negotiations.
2016-05-29 11:56:32 system info  00536 IKE 1.1.1.5 Phase 1: Completed Main 
                                       mode negotiations with a 28800-second 
                                       lifetime.
2016-05-29 11:56:32 system info  00536 IKE 1.1.1.5 phase 1:The symmetric 
                                       crypto key has been generated 
                                       successfully.
2016-05-29 11:56:32 system info  00536 IKE1.1.1.1 1.1.1.5 Phase 1: Initiated 
                                       negotiations in main mode.

And i have adjusted the ike soft-lifetime-buffer from 30-45-90-120-180 with no resolution. I have disable VPN monitor

for the Dallas VPN tunnel on the SSG and no change.

Here is the IKE/SA info from the SSG:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.05.30 10:29:39 =~=~=~=~=~=~=~=~=~=~=~=
login as: admin
admin@172.16.10.254's password: 
Remote Management Console
firewall-FW01.adminGLOBAL.COM-> get ike cookie

IKEv1 SA -- Active: 4, Dead: 1, Total 6

80122f/0003, 1.1.1.5:500->1.1.1.1:500, PRESHR/grp2/3DES/SHA, xchg(5) (Dallas_VPN_Gateway/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 28797 cert-expire 0
responder, err cnt 0, send dir 1, cond 0xc2
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

100001/0000, 1.1.1.1:500->216.89.164.100:500, NONE/grp0/NULL/NULL, xchg(2) (SAVVIS_VPN_GATEWAY/grp-1/usr-1)
resent-tmr 39 lifetime 28800 lt-recv 0 nxt_rekey 28782 cert-expire 0
initiator, err cnt 4, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

p2_tasks:

task_type = 0x3
p2 sa id = 0xf (index 0x0)
app_sa_flags = 0x5000a4
p2 spi = 0x0

80122f/0003, 1.1.1.1:500->1.1.1.5:500, PRESHR/grp2/3DES/SHA, xchg(2) (Dallas_VPN_Gateway/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 27 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

80122f/0003, 1.1.1.1:500->1.1.1.5:500, PRESHR/grp2/3DES/SHA, xchg(2) (Dallas_VPN_Gateway/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 7 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

80522f/0003, 1.1.1.1:500->1.1.1.2:500, PRESHR/grp2/3DES/SHA, xchg(5) (Santa_Ana_Gateway/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 13603 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

80522f/0003, 1.1.1.1:500->1.1.1.4:500, PRESHR/grp2/3DES/SHA, xchg(5) (Coatesville_Gateway/grp-1/usr-1)
resent-tmr 322 lifetime 28800 lt-recv 28800 nxt_rekey 13588 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x0
nat-traversal map not available
ike heartbeat              : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0


IKEv2 SA -- Active: 0, Dead: 0, Total 0

firewall-FW01.adminGLOBAL.COM-> get sa
total configured sa: 10
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
0000000f<  216.89.164.100  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
0000000f>  216.89.164.100  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000010<         1.1.1.5  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000010>         1.1.1.5  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000011<     173.9.234.1  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000011>     173.9.234.1  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000012<   66.192.88.194  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000012>   66.192.88.194  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000013<  174.76.146.175  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000013>  174.76.146.175  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000014<         1.1.1.4  500 esp:3des/sha1 e18bd51d  2122 unlim A/U    -1 0
00000014>         1.1.1.4  500 esp:3des/sha1 a4f53bb3  2122 unlim A/U    -1 0
00000015<  50.206.204.178  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000015>  50.206.204.178  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000016<    98.185.192.7  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000016>    98.185.192.7  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000017<         1.1.1.2  500 esp:3des/sha1 e18bd51f  2141 unlim A/U    -1 0
00000017>         1.1.1.2  500 esp:3des/sha1 6b16f254  2141 unlim A/U    -1 0
00000018< 206.169.112.202  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
00000018> 206.169.112.202  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
firewall-FW01.adminGLOBAL.COM-> exit

The show security associations on the SRX return nothing.

admin@Dallas_SRX> show security ike security-associations detail

admin@Dallas_SRX> show security ike security-associations

admin@Dallas_SRX> show security ipsec security-associations
  Total active tunnels: 0

I found this forum post: http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/help-because-There-was-a-preexisting-session-from-the-same-peer/m-p/258729#M28974

I have IKE service in both the Interface/Zone level on the Internet zone.

  security-zone Internet {
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            https;
                            ssh;
                            ike;
                        }
                    }
                }
            }
        }

The post bout the loopback adapter refers to a Policy based VPN and mine is Route based...so not sure if that applies?

Re: Replacing a SSG5 with SRX100H2 in branch office

Trending Articles

Scuffham Amps - S-GEAR 2.6.0 VST, AAX, STANDALONE x86 x64 (R2R NO iLok2, +NO...

Practice Sheet of Right form of verbs for HSC Students

VHSE First (1st) Allotment 2025 - vhscap.kerala.gov.in

UNIVERSE LEAGUE – UNIVERSE LEAGUE – WAR (We Are Ready) – EP [iTunes Plus M4A]

City Hunter Teledrama – Episode 18 – 07th May 2016

Comment on Proposed Criteria for Identifying Predatory Conferences by Luke...

Bureau of Internal Revenue: Regional Offices (Directory)

Kendrick Lamar – Not Like Us (2024) [24Bit-88.2kHz] [PMEDIA] ⭐️

Inception 2010 Hindi Dual Audio 650MB BRRip 720p ESubs HEVC

East Hull MD admits sexual assaults after another victim comes forward

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

R. v. Sargeant, 2023 ONSC 6406 (CanLII)

Rajasthan Board 10th Result 2016 Roll No wise & Name Wise

Who’s been sentenced at Northampton Magistrates’ Court

मतलबी दोस्त स्टेट्स | Matlabi Dost Status in Hindi – Selfish Friends Status

Family cries out as traditional ruler allegedly abducts brother, extorts N2.5m

Long-Running Conflict In Springfield (MA) Gangland Sphere Has Manzi Family &...

Wondershare Filmora X v10.1.20.16 x64

Man arrested after fracas in flat

Man charged in ongoing Sexual Assault Investigation Derek Nyilas, 46, Faces...