Site to Site (IPSec) between Juniper SRX and Cisco Meraki

Foysol
Conversationalist

Site to Site (IPSec) between Juniper SRX and Cisco Meraki

I have configured Site to Site (IPSec) between Juniper SRX and Cisco Meraki but I'm getting below error on MX.
If anyone has experience please help. I'll appreciate if anyone can share juniper script or documents too.   

 

Thank you very much

Foysol

 

 

Event typeDetails
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. d31ecfd04cf89533:9437beb688f65e4d"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=2757963834."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=2466040742(0x92fccba6)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=210099101(0xc85db9d)"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=591549828."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=2757963834(0xa463303a)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=146196861(0x8b6c97d)"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=3540361976."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=591549828(0x23425584)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=43942668(0x29e830c)"
Non-Meraki / Client VPN negotiation"msg: purged IPsec-SA proto_id=ESP spi=251655378."
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=3540361976(0xd305a2f8)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=40458217(0x26957e9)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=251655378(0xefff4d2)"
Non-Meraki / Client VPN negotiation"msg: IPsec-SA established: ESP/Transport 4.53.131.33[4500]->157.131.255.207[4500] spi=15946658(0xf353a2)"
Non-Meraki / Client VPN negotiation"msg: ISAKMP-SA established 4.53.131.33[4500]-157.131.255.207[4500] spi:022e59eb33d1d55e:89198c1ec61cf838"
Non-Meraki / Client VPN negotiation"msg: invalid DH group 19."
Non-Meraki / Client VPN negotiation"msg: invalid DH group 20."
Non-Meraki / Client VPN negotiation"msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 4f567d27bb3741f9:56424bfee40a8fc1"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 42373e387081761b:22d45b89852dc39b"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 1a25c883d3c994db:7ce405740713061e"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. e4c9bba582d4cdd7:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 655a6651df312eb6:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 459d57ef1db9ae49:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
Non-Meraki / Client VPN negotiation"msg: phase1 negotiation failed due to time up. 380fcbaa302bb8dc:0000000000000000"
Non-Meraki / Client VPN negotiation"msg: initiate new phase 1 negotiation: 4.53.131.33[500]<=>23.92.186.18[500]"
3 REPLIES 3
Inderdeep
Kind of a big deal

Re: Site to Site (IPSec) between Juniper SRX and Cisco Meraki

@Foysol : check if below thread helps 

https://community.meraki.com/t5/Security-SD-WAN/MX68-Site-to-Site-VPN-Juniper-SSG-Series-Drops/td-p/...

Regards
Inderdeep Singh
www.thenetworkdna.com ( Awarded by Cisco IT Blogs award 2020)
Foysol
Conversationalist

Re: Site to Site (IPSec) between Juniper SRX and Cisco Meraki

Hi,

I checked this earlier but no luck with it. NAT-T is disabled on juniper srx but still facing same issue.
Thanks for your response @Inderdeep 

AlexP
Meraki Employee

Re: Site to Site (IPSec) between Juniper SRX and Cisco Meraki

msg: phase1 negotiation failed due to time up. 655a6651df312eb6:0000000000000000"

 

 

This means the MX is trying to build an IKE peering with your SRX, and not getting a response. Specifically, that string of hex values you see - before the colon - is the initiator cookie of the first message we're trying to send to the SRX, and the fact that the responder cookie is all zeroes means we didn't get any response from it at all.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.