SRX5308 IPSEC to Cisco ASA

[BrentHarsh]

Three questions below... Using SRX5308, firmware 3.0.7-29. Spent the better part of two days configuring a "simple" tunnel with a customer who uses a Cisco ASA. Customer wanted to use AES256 and MD5, but this would never establish even IKE; log showed:

[IKE] Ignore information because the message has no hash payload._

right after "setting DPD Vendor ID".

We ranged up and down IKE and VPN policy values changing many things and eventually settled on the fact that only 3DES SHA1 would work between us (we always changed IKE and VPN policy in sync so maybe phase1 was all we needed to change).

Once we were both trying 3DES SHA1 we were able to receive the next vendor IDs of CISCO_UNITY, draft-ietf...., and DPD and the tunnel kinda "came up." (but see my note about individual IP addresses below too!).

1). Is there a known problem with the 5308 when trying to use AES256 in general, or is there something known bad when interacting with a Cisco ASA?

Next: This tunnel was to access three sequentially addressed machines on the remote LAN, so instead of using an individual IP policy, or a subnet, I attempted to use a range. This was the final piece of the puzzle that got us working; any time I used a range on the 5308 side, I had no access and could not ping the endpoints and I am no longer sure which parts of the logs pertain to this - it may have also been giving me the "no hash payload" stuff. The Cisco was always configured with a range of the three addresses, and remains so now; the admin on their side never changed his end for that. I was forced to declare three VPN policies using an individual address for each box to finally, finally, get it working. So:

2). Has anyone used the "range" setting in the remote-ip field and gotten it working? Between 5308's only, or between other vendor firewalls?

Final question: I had several times when the GUI of the 5308 totally locked up; browser returned "not responding" - once it took long enough to convince me to drive to the datacenter and reboot the box even though all other IPSEC tunnels and my local access were working fine so obviously the router was still up. This seemed to happen when I changed some IKE policy values - just, "gone, baby" but I was unfortunately unable to nail it down to exactly which ones. I was on my way in for the 2nd one when my colleague said it just came back on its own - at least 10 minutes of sitting there hitting refresh, trying to log in with another browser, another machine, etc.

3). Is that GUI lockup a known issue?

(okay, sorry, but I'll slide one more question in here: using the CLI, I was trying to enable/disable my policies so we could at least keep trying stuff with our customer on the line. I wondered if there was any tips on CLI syntax besides the excellent one here: http://forum1.netgear.com/showthread.php?t=28158 - perhaps the 5308 doesn't use the same (although it sure seems like it) but I could never get commands like "action 1 1" or "apply 1 0" to take effect, it always complained about an "invalid input argument - 1" - so I have no idea how to use the CLI when the GUI was dead. What is the correct argument to use there, if not the policy number shown in the list?! And what is "enable" and "disable" INT? I'd assumed 0 and 1 but nothing was accepted. It was all very frustrating.

Thanks very much for any feedback or ideas.

[jmizoguchi]

AES356 should not be a issues but I think issues are between using devices netgear and cisco tunnel.

I was never gotten some documents while back but I know FVX works and firmware core is same so should work. Now not sure exact cisco model user I have email in the past used FVX but it was working him

[Markwirez]

Quote:

Originally Posted by jmizoguchi

AES256 should not be a issues but I think issues are between using devices netgear and cisco tunnel.

I was never gotten some documents while back but I know FVX works and firmware core is same so should work. Now not sure exact cisco model user I have email in the past used FVX but it was working him

I have a series of 5308's at the branch level and have the occasional Phase1/2 timeout but that is the only issue. Using ASA 5520's with 4+ 5308 VPN configured. One one Tunnel I move over 130 Gig of traffic a month on average. No issues.