Meraki

Community

Site to Site (IPSec) between Juniper SRX and Cisco Meraki

Foysol
Here to help
‎Jul 11 2021 2:37 PM
‎Jul 11 2021 2:37 PM

Site to Site (IPSec) between Juniper SRX and Cisco Meraki

I have configured Site to Site (IPSec) between Juniper SRX and Cisco Meraki but I'm getting below error on MX.
If anyone has experience please help. I'll appreciate if anyone can share juniper script or documents too.   

 

Thank you very much

Foysol

 

 

Event typeDetails
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. d31ecfd04cf89533:9437beb688f65e4d"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=2757963834."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=2466040742(0x92fccba6)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=210099101(0xc85db9d)"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=591549828."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=2757963834(0xa463303a)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=146196861(0x8b6c97d)"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=3540361976."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=591549828(0x23425584)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=43942668(0x29e830c)"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=251655378."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=3540361976(0xd305a2f8)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=40458217(0x26957e9)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=251655378(0xefff4d2)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=15946658(0xf353a2)"
Non-Meraki / Client VPN negotiation"msg: ISAKMP-SA established 4.53.131.33[4500]-157.131.255.207[4500] spi:022e59eb33d1d55e:89198c1ec61cf838"
Non-Meraki / Client VPN negotiation"msg: invalid DH group 19."
Non-Meraki / Client VPN negotiation"msg: invalid DH group 20."
Non-Meraki / Client VPN negotiation"msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 4f567d27bb3741f9:56424bfee40a8fc1"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 42373e387081761b:22d45b89852dc39b"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 1a25c883d3c994db:7ce405740713061e"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. e4c9bba582d4cdd7:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 655a6651df312eb6:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 459d57ef1db9ae49:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 380fcbaa302bb8dc:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
0 Kudos
3 Replies 3
Inderdeep
Kind of a big deal
Kind of a big deal
‎Jul 11 2021 2:44 PM
‎Jul 11 2021 2:44 PM

@Foysol : check if below thread helps 

https://community.meraki.com/t5/Security-SD-WAN/MX68-Site-to-Site-VPN-Juniper-SSG-Series-Drops/td-p/...

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
In response to Inderdeep
Foysol
Here to help
‎Jul 14 2021 11:05 AM
‎Jul 14 2021 11:05 AM

Hi,

I checked this earlier but no luck with it. NAT-T is disabled on juniper srx but still facing same issue.
Thanks for your response @Inderdeep 

0 Kudos
In response to Foysol
AlexP
Meraki Employee
Meraki Employee
‎Jul 20 2021 12:42 PM
‎Jul 20 2021 12:42 PM

msg: phase1 negotiation failed due to time up. 655a6651df312eb6:0000000000000000"

 

 

This means the MX is trying to build an IKE peering with your SRX, and not getting a response. Specifically, that string of hex values you see - before the colon - is the initiator cookie of the first message we're trying to send to the SRX, and the fact that the responder cookie is all zeroes means we didn't get any response from it at all.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.