Netscreen-50 site-to-site VPN phase 1 error
|
View:
New views
15 Messages
—
Rating Filter:
Alert me
|
 |
Netscreen-50 site-to-site VPN phase 1 error
by Joyce-25
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hello,
I'm setting a site-to-site policy-based
VPN and met problem "Phase 1: Retransmission limit has been
reached."
From all the resource I read, it means there is no
response back from peer VPN, however I could not get help from peer VPN to check
their side log.
I can not use "debug ike" as well, seems
Netscreen-50 does not provide this function.
Anyone can tell me how to debug IKE traffic?
Thanks!
Best Regards!
Joyce _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by pkc
::
Rate this Message:
Joyce a écrit :
> Hello, hello > I'm setting a site-to-site policy-based VPN and met problem "Phase 1: > Retransmission limit has been reached." > From all the resource I read, it means there is no response back from > peer VPN, however I could not get help from peer VPN to check their > side log. > I can not use "debug ike" as well, seems Netscreen-50 does not provide > this function. can you please indicate which screenOS version you're running ? if there is no response from the peer, it's probably a misconfiguration, ie your local gateway is not defined correctly, or the proposal for phase 1 doesn't match. > Anyone can tell me how to debug IKE traffic? Thanks! get the peers trace is the easiest option. > Best Regards! > Joyce _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Maarten van der Hoek
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi Joyce, If the other side is a thrird-party device….this error is known! (and also fixed in the new firmware J) Rev. 5.4.0r6 fixed it with us! Best Regards, Maarten van der Hoek Van:
nn-bounces@... [mailto:nn-bounces@...] Namens Joyce Hello, I'm
setting a site-to-site policy-based VPN and met problem "Phase
1: Retransmission limit has been reached." From
all the resource I read, it means there is no response back from peer VPN,
however I could not get help from peer VPN to check their side log. I
can not use "debug ike" as well, seems Netscreen-50 does not provide
this function. Anyone
can tell me how to debug IKE traffic? Thanks! Best
Regards! Joyce _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Joyce-25
::
Rate this Message:
I forget to say, the firmware Version of netscreen-50 is 5.3.0r3.0
(Firewall+VPN), the peer VPN also use Netscreen, although I'm not aware of their version. ----- Original Message ----- From: "pkc_mls" <pkc_mls@...> To: <nn@...> Sent: Wednesday, September 26, 2007 3:10 PM Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > Joyce a écrit : >> Hello, > hello >> I'm setting a site-to-site policy-based VPN and met problem "Phase 1: >> Retransmission limit has been reached." >> From all the resource I read, it means there is no response back from >> peer VPN, however I could not get help from peer VPN to check their >> side log. >> I can not use "debug ike" as well, seems Netscreen-50 does not provide >> this function. > can you please indicate which screenOS version you're running ? > if there is no response from the peer, it's probably a misconfiguration, > ie your local gateway is not defined correctly, or the proposal for > phase 1 doesn't match. >> Anyone can tell me how to debug IKE traffic? Thanks! > get the peers trace is the easiest option. >> Best Regards! >> Joyce > > _______________________________________________ > nn mailing list > nn@... > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.13.30/1030 - Release Date: 9/25/2007 8:02 AM _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Claudio Cecchetto (RM/TEI)
::
Rate this Message:
Hi Joyce,
When I had troubles with IKE traffic on NS ISG2000 I used the following commands but I don't know if they're available on NS50 1- To clear the debug buffer, type the following: clear dbuf 2- type : debug ike 3- To display the debug output on terminal, use the command: get dbuf stream If the other VPN peer is a NS and you're not able to debug on your FW then may be the peer can execute this commands and they can Send you the output BR, Claudio -----Original Message----- From: nn-bounces@... [mailto:nn-bounces@...] On Behalf Of Joyce Sent: mercoledì 26 settembre 2007 10.22 To: pkc_mls; maarten@... Cc: nn@... Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error I forget to say, the firmware Version of netscreen-50 is 5.3.0r3.0 (Firewall+VPN), the peer VPN also use Netscreen, although I'm not aware of their version. ----- Original Message ----- From: "pkc_mls" <pkc_mls@...> To: <nn@...> Sent: Wednesday, September 26, 2007 3:10 PM Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > Joyce a écrit : >> Hello, > hello >> I'm setting a site-to-site policy-based VPN and met problem "Phase 1: >> Retransmission limit has been reached." >> From all the resource I read, it means there is no response back from >> peer VPN, however I could not get help from peer VPN to check their >> side log. >> I can not use "debug ike" as well, seems Netscreen-50 does not provide >> this function. > can you please indicate which screenOS version you're running ? > if there is no response from the peer, it's probably a misconfiguration, > ie your local gateway is not defined correctly, or the proposal for > phase 1 doesn't match. >> Anyone can tell me how to debug IKE traffic? Thanks! > get the peers trace is the easiest option. >> Best Regards! >> Joyce > > _______________________________________________ > nn mailing list > nn@... > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.13.30/1030 - Release Date: 9/25/2007 8:02 AM _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Joyce-25
::
Rate this Message:
Thanks. NS50 do have "clear dbuf", but dont' have "debug ike" or "get dbuf
stream". I don't know if they are provided by other command or they don't have at all. Joyce ----- Original Message ----- From: "Claudio Cecchetto" <claudio.cecchetto@...> To: "Joyce" <joyce.xie@...>; "pkc_mls" <pkc_mls@...>; <maarten@...> Cc: <nn@...> Sent: Wednesday, September 26, 2007 3:29 PM Subject: RE: [nn] Netscreen-50 site-to-site VPN phase 1 error Hi Joyce, When I had troubles with IKE traffic on NS ISG2000 I used the following commands but I don't know if they're available on NS50 1- To clear the debug buffer, type the following: clear dbuf 2- type : debug ike 3- To display the debug output on terminal, use the command: get dbuf stream If the other VPN peer is a NS and you're not able to debug on your FW then may be the peer can execute this commands and they can Send you the output BR, Claudio -----Original Message----- From: nn-bounces@... [mailto:nn-bounces@...] On Behalf Of Joyce Sent: mercoledì 26 settembre 2007 10.22 To: pkc_mls; maarten@... Cc: nn@... Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error I forget to say, the firmware Version of netscreen-50 is 5.3.0r3.0 (Firewall+VPN), the peer VPN also use Netscreen, although I'm not aware of their version. ----- Original Message ----- From: "pkc_mls" <pkc_mls@...> To: <nn@...> Sent: Wednesday, September 26, 2007 3:10 PM Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > Joyce a écrit : >> Hello, > hello >> I'm setting a site-to-site policy-based VPN and met problem "Phase 1: >> Retransmission limit has been reached." >> From all the resource I read, it means there is no response back from >> peer VPN, however I could not get help from peer VPN to check their >> side log. >> I can not use "debug ike" as well, seems Netscreen-50 does not provide >> this function. > can you please indicate which screenOS version you're running ? > if there is no response from the peer, it's probably a misconfiguration, > ie your local gateway is not defined correctly, or the proposal for > phase 1 doesn't match. >> Anyone can tell me how to debug IKE traffic? Thanks! > get the peers trace is the easiest option. >> Best Regards! >> Joyce > > _______________________________________________ > nn mailing list > nn@... > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.13.30/1030 - Release Date: 9/25/2007 8:02 AM _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.13.30/1030 - Release Date: 9/25/2007 8:02 AM _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by pkc
::
Rate this Message:
Joyce a écrit :
> Thanks. NS50 do have "clear dbuf", but dont' have "debug ike" or "get dbuf > stream". I don't know if they are provided by other command or they don't > have at all. > you should at least have some informations in the WebGUI. reports -> system log -> events are you connected to your device with an administrator account ? what happens if the remote site tries to establish the VPN ? > Joyce > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Joyce-25
::
Rate this Message:
The information in event log is very not detail, that's why I'm trying to
find debug way. Yes, I think have to get help from remote site. Thanks. Joyce ----- Original Message ----- From: "pkc_mls" <pkc_mls@...> To: <nn@...> Sent: Wednesday, September 26, 2007 4:02 PM Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error Joyce a écrit : > Thanks. NS50 do have "clear dbuf", but dont' have "debug ike" or "get dbuf > stream". I don't know if they are provided by other command or they don't > have at all. > you should at least have some informations in the WebGUI. reports -> system log -> events are you connected to your device with an administrator account ? what happens if the remote site tries to establish the VPN ? > Joyce > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.488 / Virus Database: 269.13.30/1030 - Release Date: 9/25/2007 8:02 AM _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Greg Conroy
::
Rate this Message:
The NS 50 has the commands they are:
debug ike all get dbuf stream The dbuf (debug buffer) will not show anything until the debug command has been executed, when you are done with debug, type the command "undebug all" or hit the escape key. Greg Joyce wrote: > Thanks. NS50 do have "clear dbuf", but dont' have "debug ike" or "get dbuf > stream". I don't know if they are provided by other command or they don't > have at all. > > Joyce > > ----- Original Message ----- > From: "Claudio Cecchetto" <claudio.cecchetto@...> > To: "Joyce" <joyce.xie@...>; "pkc_mls" <pkc_mls@...>; > <maarten@...> > Cc: <nn@...> > Sent: Wednesday, September 26, 2007 3:29 PM > Subject: RE: [nn] Netscreen-50 site-to-site VPN phase 1 error > > > Hi Joyce, > When I had troubles with IKE traffic on NS ISG2000 I used the following > commands but I don't know if they're available on NS50 > > 1- To clear the debug buffer, type the following: clear dbuf > 2- type : debug ike > 3- To display the debug output on terminal, use the command: get dbuf stream > > If the other VPN peer is a NS and you're not able to debug on your FW then > may be the peer can execute this commands and they can > Send you the output > > BR, > Claudio > > -----Original Message----- > From: nn-bounces@... [mailto:nn-bounces@...] On Behalf Of > Joyce > Sent: mercoledì 26 settembre 2007 10.22 > To: pkc_mls; maarten@... > Cc: nn@... > Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > > I forget to say, the firmware Version of netscreen-50 is 5.3.0r3.0 > (Firewall+VPN), the peer VPN also use Netscreen, although I'm not aware of > their version. > > ----- Original Message ----- > From: "pkc_mls" <pkc_mls@...> > To: <nn@...> > Sent: Wednesday, September 26, 2007 3:10 PM > Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > > > >> Joyce a écrit : >> >>> Hello, >>> >> hello >> >>> I'm setting a site-to-site policy-based VPN and met problem "Phase 1: >>> Retransmission limit has been reached." >>> From all the resource I read, it means there is no response back from >>> peer VPN, however I could not get help from peer VPN to check their >>> side log. >>> I can not use "debug ike" as well, seems Netscreen-50 does not provide >>> this function. >>> >> can you please indicate which screenOS version you're running ? >> if there is no response from the peer, it's probably a misconfiguration, >> ie your local gateway is not defined correctly, or the proposal for >> phase 1 doesn't match. >> >>> Anyone can tell me how to debug IKE traffic? Thanks! >>> >> get the peers trace is the easiest option. >> >>> Best Regards! >>> Joyce >>> >> _______________________________________________ >> nn mailing list >> nn@... >> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn >> >> > > > -------------------------------------------------------------------------------- > > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.488 / Virus Database: 269.13.30/1030 - Release Date: 9/25/2007 > 8:02 AM > > _______________________________________________ > nn mailing list > nn@... > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > > > > > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Greg Conroy
::
Rate this Message:
Phase 1 retransmissions can only be caused by 4 things.
1. The Peer ip is incorrect or can not be reached 2. Preshared keys do not match 3. Phase 1 encryption does not match 4. Wrong outgoing interface. When you set up the Gateway it had you pick your outgoing interface, be sure you picked the Ethernet port that is the outgoing interface. That error has caught me several times, be sure you can ping your peer ip (have them turn on ping on the untrust) from your firewall. If there is port blocking in front of your firewall make sure they are not blocking UDP 500 and IP 50. Greg Joyce wrote: > The information in event log is very not detail, that's why I'm trying to > find debug way. > Yes, I think have to get help from remote site. > Thanks. > > Joyce > ----- Original Message ----- > From: "pkc_mls" <pkc_mls@...> > To: <nn@...> > Sent: Wednesday, September 26, 2007 4:02 PM > Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > > > Joyce a écrit : > >> Thanks. NS50 do have "clear dbuf", but dont' have "debug ike" or "get dbuf >> stream". I don't know if they are provided by other command or they don't >> have at all. >> >> > you should at least have some informations in the WebGUI. > reports -> system log -> events > are you connected to your device with an administrator account ? > what happens if the remote site tries to establish the VPN ? > >> Joyce >> >> > > _______________________________________________ > nn mailing list > nn@... > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn > > > > > _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
|
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Charles Robinson
::
Rate this Message:
On Sep 26, 2007, at 5:56, Greg Conroy wrote:
> > When you set up the Gateway it had you pick your outgoing > interface, be > sure you picked the Ethernet port that is the outgoing interface. > That > error has caught me several times, And... once you screw this up you cannot change the interface without deleting/recreating the gateway. Or has this been fixed/changed in newer versions of ScreenOS? This has nailed me before - seems the "default" outgoing interface is the Trust interface, which sure doesn't work! -Charles -- Charles Robinson - charlesr@... Minneapolis, MN http://charles.robinsontwins.org _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: Netscreen-50 site-to-site VPN phase 1 error
by Joe-12
::
Rate this Message:
I believe you are wrong ... the NetScreen 50 has almost a full
compliment of "debug" commands in ScreenOS 5.3.x (I have used them). You may be limited by the privilege level of the admin account you are using, you must use a privileged account to get use of all available commands. > ns50-0357-> get debug ? >> redirect output > | match output > <return> > ns50-0357-> debug ? > admin debug admin > anti-spam anti-spam debugging > apppry Application Proxy debugging > arp arp debugging > asp ASP debugging > asset-recovery asset recovery debugging > auth user authentication debugging > autocfg Auto config debugging > av anti virus scan debugging > bgp bgp debugging > cluster command propagated to cluster members > cpapi cpapi debugging > dhcp debug dhcp > dhcp6 dhcpv6 debugging > dip dip debugging > dlog dlog debugging > dns dns debugging > driver driver debugging > emweb EmWeb debugging > filesys Filesys debugging > fips fips debugging > flash flash operating debugging > flow Flow level debugging > flow-tunnel Flow Tunnel debugging > fs file system debugging > gc gc receive and transmit debug > gdb GDB debugging > global-pro global-pro debugging > gt generic tunnel debugging > gtmac gtmac debug > h323 h323 debugging > httpfx http-fx debugging > icmp icmp debugging > idp set idp debug parameters > ids ids debugging > igmp igmp debugging > ike ike debugging > interface interface debugging > intfe Intfe debugging > ip ip debugging > ipv6 ipv6 debugging > ixf ixf debug > l2tp L2TP debugging > lance Lance debugging > ldap ldap debug menu > logging logging debugging > memory Memory debugging > mgcp mgcp debugging > mip mip debugging > modem Moden debugging > nas nas debugging > nasa nasa debugging > nat nat debugging > ndp ndp debugging > netif netif debugging > npak npak debugging > nrtp Reliable Xfer Protocol debugging > nsgp debug nsgp > nsmgmt debug nsmgmt > nsp NSM NSP message content > nsrd NSRD debugging > nsrp debug nsrp > obj-id obj id debugging > ospf ospf debugging > pccard Pccard debugging > pim pim debugging > pki pki debug menu > pluto Pluto debugging > policy policy debugging > portnum portnum debugging > ppcdrv driver debugging > ppp ppp debugging > pppoa pppoa debugging > pppoe pppoe debugging > proxy tcp proxy debugging > rd rd debug info > registry system events registry debugging > report report debugging > rip rip debugging > ripng ripng debugging > rm rm debugging > rms rms debug info > rpc rpc debugging > rs rs debug info > sa-mon sa monitor debugging > scan-mgr scan manager debugging > sccp sccp debugging > sendmail sendmail debugging > session session debugging > shaper debug shaper > sip sip debugging > snmp snmpnew debugging > socket socket debug > ssh debug ssh > ssl ssl debugging > stflow saturn flow debug info > sw-key software key debugging > syslog syslog debugging > tag tag info > task Task debugging > tcp tcp debug > telnet debug telnet > time device clock time debugging > timer Timer debugging > trackip debug trackip > traffic traffic control debugging > udp udp debugging > uf UF debugging > url-blk url filtering debugging > user user/group database debugging > vip vip debugging > vr vritual router debugging > vrrp vrrp debugging > vsys vsys debugging > vwire VWIRE debugging > web WebUI debugging > webtrends webtrends debugging > wlan wlan debugging > zone zone debugging On 9/26/07 12:57 AM, Joyce wrote: > Thanks. NS50 do have "clear dbuf", but dont' have "debug ike" or "get dbuf > stream". I don't know if they are provided by other command or they don't > have at all. > > Joyce > > ----- Original Message ----- > From: "Claudio Cecchetto" <claudio.cecchetto@...> > To: "Joyce" <joyce.xie@...>; "pkc_mls" <pkc_mls@...>; > <maarten@...> > Cc: <nn@...> > Sent: Wednesday, September 26, 2007 3:29 PM > Subject: RE: [nn] Netscreen-50 site-to-site VPN phase 1 error > > > Hi Joyce, > When I had troubles with IKE traffic on NS ISG2000 I used the following > commands but I don't know if they're available on NS50 > > 1- To clear the debug buffer, type the following: clear dbuf > 2- type : debug ike > 3- To display the debug output on terminal, use the command: get dbuf stream > > If the other VPN peer is a NS and you're not able to debug on your FW then > may be the peer can execute this commands and they can > Send you the output > > BR, > Claudio > > -----Original Message----- > From: nn-bounces@... [mailto:nn-bounces@...] On Behalf Of > Joyce > Sent: mercoledì 26 settembre 2007 10.22 > To: pkc_mls; maarten@... > Cc: nn@... > Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > > I forget to say, the firmware Version of netscreen-50 is 5.3.0r3.0 > (Firewall+VPN), the peer VPN also use Netscreen, although I'm not aware of > their version. > > ----- Original Message ----- > From: "pkc_mls" <pkc_mls@...> > To: <nn@...> > Sent: Wednesday, September 26, 2007 3:10 PM > Subject: Re: [nn] Netscreen-50 site-to-site VPN phase 1 error > > >> Joyce a écrit : >>> Hello, >> hello >>> I'm setting a site-to-site policy-based VPN and met problem "Phase 1: >>> Retransmission limit has been reached." >>> From all the resource I read, it means there is no response back from >>> peer VPN, however I could not get help from peer VPN to check their >>> side log. >>> I can not use & |
