# Unable to bring up VPN



## mirei03 (Jan 20, 2014)

Hi,
Suddenly, my vpn between the 2 offices went down. I am really new with these things so please bear with me as i try to describe my problem.
To cut the long story short, after comparing and re-configuring the vpn, it still doesn't work. I have 2 juniper firewalls. I hope someone can help me. Here are the details:
FW1:

office1IP-> get ike cookie
Active: 2, Dead: 0, Total 3
4203/1, office2IP->office1IP: PRESHR/grp2/3DES/MD5, xchg(2) usr(d-1/u-1)
resent-tmr 1 lifetime 28800 lt-recv 28800 nxt_rekey 28774 cert-expire 0
initiator 0, in-out 0, err cnt 6, send dir 0, cond 0
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
get sa
00000054 0< office2IP 500 esp:3des/md5 00000000 expir unlim I/I vpn 0
00000054 0> office2IP 500 esp:3des/md5 00000000 expir unlim I/I vpn 0
00000055 0< office2IP 500 esp:3des/md5 00000000 expir unlim I/I -1 0
00000055 0> office2IP 500 esp:3des/md5 00000000 expir unlim I/I -1 0
office1IP-> debug ike detail
office1IP-> get db stream
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> ****** Recv packet if <ethernet1/1> vsys <Root> ******
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:46:32 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> phase 1 sa for root sys.
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> Receive re-transmit IKE packet phase 1 SA(office2IP) exchg(2) len(136)
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> re-trans timer expired, msg retry (5) (4203/1)
##2014-01-20 18:46:32 system-debugging: IKE<office2IP> send_request to peer
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> ****** Recv packet if <ethernet1/1> vsys <Root> ******
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:46:36 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> phase 1 sa for root sys.
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> Receive re-transmit IKE packet phase 1 SA(office2IP) exchg(2) len(136)
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> re-trans timer expired, msg retry (6) (4203/1)
##2014-01-20 18:46:36 system-debugging: IKE<office2IP> send_request to peer
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> ****** Recv packet if <ethernet1/1> vsys <Root> ******
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:46:40 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> phase 1 sa for root sys.
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> Receive re-transmit IKE packet phase 1 SA(office2IP) exchg(2) len(136)
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
--- more ---
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> re-trans timer expired, msg retry (7) (4203/1)
##2014-01-20 18:46:40 system-debugging: IKE<office2IP> send_request to peer
office1IP->
office1IP->
office1IP-> clear db
office1IP-> debug ike detail
office1IP-> get db stream
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> Phase 1 SA reported broken.
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> xauth_cleanup()
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> ike_p1_cleanup() finished.
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> delete sa(office2IP - office1IP), state (4203/1)
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> ****** Recv kernel msg IDX-14, TYPE-5 ******
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> sa orig index<14>, peer_id<15>.
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> C build_pref_cert_from_hash exit
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> isadb get entry by peer/local ip and port
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> create sa: office1IP->office2IP
##2014-01-20 18:47:06 system-debugging: IKE<0.0.0.0> getProfileFromP1Proposal->
##2014-01-20 18:47:06 system-debugging: IKE<0.0.0.0> xauthstatus is 0
##2014-01-20 18:47:06 system-debugging: IKE<0.0.0.0> find profile[0]=<00000005 00000001 00000001 00000002> for p1 proosal (id 4)
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> Phase 2 task added
##2014-01-20 18:47:06 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> Msg header built (next payload #1)
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> constructing SA payload for isakmp.
##2014-01-20 18:47:06 system-debugging: XAUTH: disabled
##2014-01-20 18:47:06 system-debugging: auth(1)<PRESHRD>, encr(5)<3DES>, hash(1)<MD5>, group(2)
##2014-01-20 18:47:06 system-debugging:
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> lifetime(28800/0)
##2014-01-20 18:47:06 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:47:06 system-debugging: IKE<0.0.0.0> , exp pak
--- more ---
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> Sending P1 -->
##2014-01-20 18:47:06 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:47:06 system-debugging: Payload: Security_Assoc Vendor_ID Vendor_ID
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> send_request to peer
##2014-01-20 18:47:06 system-debugging: IKE<office2IP> <office1IP => office2IP> Phase 1: Initiated negotiations in main mode.
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> ****** Recv packet if <ethernet1/1> vsys <Root> ******
##2014-01-20 18:47:07 system-debugging: IKE New SA:
##2014-01-20 18:47:07 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:47:07 system-debugging: validate(108): SA/52 VID/84 VID/108
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Getting IKE gateway entry for peer ip <office2IP>, local ip <office1IP>, vsys <none>, id type <0>.
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Getting peer_ent by peer IP/local IP.
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> locate peer entry for (peer ip office2IP, local if ethernet1/1).
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> got static peer entry (VPN_PJ).
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> C build_pref_cert_from_hash exit
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Phase 1: Responder starts MAIN mode negotiations.
##2014-01-20 18:47:07 system-debugging: IKE<0.0.0.0> responder create sa: office2IP->office1IP
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> getProfileFromP1Proposal->
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> xauthstatus is 0
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> find profile[0]=<00000005 00000001 00000001 00000002> for p1 proosal (id 4)
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Process MM state OAK_MM_NO_STATE.
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Process SA:
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Receive p1:
--- more ---
##2014-01-20 18:47:07 system-debugging: XAUTH: disabled
##2014-01-20 18:47:07 system-debugging: auth(1)<PRESHRD>, encr(5)<3DES>, hash(1)<MD5>, group(2)
##2014-01-20 18:47:07 system-debugging:
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> phase 1 atts[0] selected.
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> sa->OAK_LIFE_TYPE=1
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> sa->lifetime_rec=28800
##2014-01-20 18:47:07 system-debugging: IKE<0.0.0.0> dh group 2
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Process VID:
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Vendor ID::
##2014-01-20 18:47:07 system-debugging: c6 d7 c4 70 59 72 26 ff f3 b7 7e 36 d7 ff 8f 0e
##2014-01-20 18:47:07 system-debugging: ac f3 96 08 00 00 00 07 00 00 04 03
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> peer is an NetScreen box, model=NS-500, ver=4.03
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Process VID:
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Vendor ID::
##2014-01-20 18:47:07 system-debugging: 48 65 61 72 74 42 65 61 74 5f 4e 6f 74 69 66 79
##2014-01-20 18:47:07 system-debugging: 38 6b 01 00
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> rcv HeartBeat vid, ver 1.0
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Phase 1 MM Responder constructing 2nd message.
##2014-01-20 18:47:07 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Msg header built (next payload #1)
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> constructing SA payload for isakmp.
##2014-01-20 18:47:07 system-debugging: XAUTH: disabled
--- more ---
##2014-01-20 18:47:07 system-debugging: auth(1)<PRESHRD>, encr(5)<3DES>, hash(1)<MD5>, group(2)
##2014-01-20 18:47:07 system-debugging:
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> lifetime(28800/0)
##2014-01-20 18:47:07 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:47:07 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> Sending P1 -->
##2014-01-20 18:47:07 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:47:07 system-debugging: Payload: Security_Assoc Vendor_ID Vendor_ID
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> send_request to peer
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> p1 SA (my cookie:<ac a1 6a da>) is removed due to simultenous rekey
##2014-01-20 18:47:07 system-debugging: IKE<office2IP> catcher: pki state<0>ike state<1/4203>
##2014-01-20 18:47:10 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 0/0001,i):
##2014-01-20 18:47:10 system-debugging: IKE<office2IP> re-trans timer expired, msg retry (0) (0001/0)
##2014-01-20 18:47:10 system-debugging: IKE<office2IP> bad sa, can't send request
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> ****** Recv packet if <ethernet1/1> vsys <Root> ******
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:47:11 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> phase 1 sa for root sys.
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> Receive re-transmit IKE packet phase 1 SA(office2IP) exchg(2) len(136)
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> re-trans timer expired, msg retry (0) (4203/1)
##2014-01-20 18:47:11 system-debugging: IKE<office2IP> send_request to peer
--- more ---
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> ****** Recv packet if <ethernet1/1> vsys <Root> ******
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:47:15 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> phase 1 sa for root sys.
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> Receive re-transmit IKE packet phase 1 SA(office2IP) exchg(2) len(136)
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> SA: (root, local office1IP, sa 1/4203,r):
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> re-trans timer expired, msg retry (1) (4203/1)
##2014-01-20 18:47:15 system-debugging: IKE<office2IP> send_request to peer
office1IP-> get event type 536
Total event entries = 4094
Date Time Module Level Type Description
2014-01-20 18:48:08 system info 00536 IKE<office2IP> Phase 1: Responder
starts MAIN mode negotiations.
2014-01-20 18:47:55 system info 00536 IKE<office2IP> Phase 1:
Retransmission limit has been reached.
2014-01-20 18:47:33 system info 00536 IKE<office2IP> Phase 2 negotiation
request is already in the task list.
2014-01-20 18:47:16 system info 00536 IKE<office2IP> Added Phase 2
session tasks to the task list.
2014-01-20 18:47:07 system info 00536 IKE(office2IP) p1 SA (my cookie:
<ac a1 6a da>) is removed due to
simultaneous rekey.
2014-01-20 18:47:07 system info 00536 IKE<office2IP> Phase 1: Responder
starts MAIN mode negotiations.
2014-01-20 18:47:06 system info 00536 IKE<office1IP> >> <office2IP>
Phase 1: Initiated negotiations in
main mode.
2014-01-20 18:46:56 system info 00536 IKE<office2IP> Phase 1:
Retransmission limit has been reached.
2014-01-20 18:46:08 system info 00536 IKE<office2IP> Phase 1: Responder
starts MAIN mode negotiations.
--- more ---
2014-01-20 18:45:56 system info 00536 IKE<office2IP> Phase 1:
 Retransmission limit has been reached.
2014-01-20 18:45:08 system info 00536 IKE(office2IP) p1 SA (my cookie:
<dc 3a 51 6e>) is removed due to
simultaneous rekey.
2014-01-20 18:45:08 system info 00536 IKE<office2IP> Phase 1: Responder
starts MAIN mode negotiations.
FW2:
office2IP-> get ike cookie
Active: 1, Dead: 1, Total 2
0001/0, office2IP->office1IP: NONE/grp0/NULL/NULL, xchg(2) usr(d-1/u-1)
resent-tmr 0 lifetime 28800 lt-recv 0 nxt_rekey 28749 cert-expire 0
initiator 1, in-out 1, err cnt 11, send dir 0, cond 2
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
get sa
0000001b 0< office1IP 500 esp:3des/md5 00000000 expir unlim I/I vpn 0
0000001b 0> office1IP 500 esp:3des/md5 00000000 expir unlim I/I vpn 0
0000001c 0< office1IP 500 esp:3des/md5 00000000 expir unlim I/I -1 0
0000001c 0> office1IP 500 esp:3des/md5 00000000 expir unlim I/I -1 0
office2IP-> clear db
office2IP-> debug ike detail
office2IP-> get db stream
##2014-01-20 18:57:48 system-debugging: IKE<office1IP> SA: (root, local office2IP, sa 0/0001,i):
##2014-01-20 18:57:48 system-debugging: IKE<office1IP> re-trans timer expired, msg retry (9) (0001/0)
##2014-01-20 18:57:48 system-debugging: IKE<office1IP> send_request to peer
##2014-01-20 18:57:52 system-debugging: IKE<office1IP> SA: (root, local office2IP, sa 0/0001,i):
##2014-01-20 18:57:52 system-debugging: IKE<office1IP> re-trans timer expired, msg retry (10) (0001/0)
##2014-01-20 18:57:52 system-debugging: IKE<office1IP> send_request to peer
##2014-01-20 18:57:55 system-debugging: IKE<46.51.216.237> ****** Recv packet if <ethernet2/2> vsys <Root> ******
##2014-01-20 18:57:55 system-debugging: IKE New SA:
##2014-01-20 18:57:55 system-debugging: Msg, len 156, nxp 8, exch 32, flag 01 E
##2014-01-20 18:57:55 system-debugging: IKE<46.51.216.237> Cannot locate phase 1 session for IKE packet. next payload type<8>
##2014-01-20 18:57:56 system-debugging: IKE<office1IP> SA: (root, local office2IP, sa 0/0001,i):
##2014-01-20 18:57:56 system-debugging: IKE<office1IP> re-trans timer expired, msg retry (11) (0001/0)
##2014-01-20 18:57:56 system-debugging: IKE<office1IP> Phase 1: Retransmission limit has been reached.
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> ****** Recv kernel msg IDX-7, TYPE-5 ******
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> sa orig index<7>, peer_id<4>.
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> C build_pref_cert_from_hash exit
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> Phase 1 SA reported broken.
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> xauth_cleanup()
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> ike_p1_cleanup() finished.
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> delete sa(office2IP - office1IP), state (0001/0)
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> isadb get entry by peer/local ip and port
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> create sa: office2IP->office1IP
--- more ---
##2014-01-20 18:58:07 system-debugging: IKE<0.0.0.0> getProfileFromP1Proposal->
##2014-01-20 18:58:07 system-debugging: IKE<0.0.0.0> xauthstatus is 0
##2014-01-20 18:58:07 system-debugging: IKE<0.0.0.0> find profile[0]=<00000005 00000001 00000001 00000002> for p1 proosal (id 4)
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> Phase 2 task added
##2014-01-20 18:58:07 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> Msg header built (next payload #1)
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> constructing SA payload for isakmp.
##2014-01-20 18:58:07 system-debugging: XAUTH: disabled
##2014-01-20 18:58:07 system-debugging: auth(1)<PRESHRD>, encr(5)<3DES>, hash(1)<MD5>, group(2)
##2014-01-20 18:58:07 system-debugging:
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> lifetime(28800/0)
##2014-01-20 18:58:07 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:58:07 system-debugging: IKE<0.0.0.0> , exp pak
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> Sending P1 -->
##2014-01-20 18:58:07 system-debugging: Msg, len 136, nxp 1, exch 2, flag 00
##2014-01-20 18:58:07 system-debugging: Payload: Security_Assoc Vendor_ID Vendor_ID
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> send_request to peer
##2014-01-20 18:58:07 system-debugging: IKE<office1IP> <office2IP => office1IP> Phase 1: Initiated negotiations in main mode.
##2014-01-20 18:58:11 system-debugging: IKE<office1IP> SA: (root, local office2IP, sa 0/0001,i):
##2014-01-20 18:58:11 system-debugging: IKE<office1IP> re-trans timer expired, msg retry (0) (0001/0)
##2014-01-20 18:58:11 system-debugging: IKE<office1IP> send_request to peer
--- more ---
##2014-01-20 18:58:15 system-debugging: IKE New SA:
##2014-01-20 18:58:15 system-debugging: Msg, len 156, nxp 8, exch 32, flag 01 E
##2014-01-20 18:58:15 system-debugging: IKE<office1IP> SA: (root, local office2IP, sa 0/0001,i):
##2014-01-20 18:58:15 system-debugging: IKE<office1IP> re-trans timer expired, msg retry (1) (0001/0)
##2014-01-20 18:58:15 system-debugging: IKE<office1IP> send_request to peer
office2IP-> get event type 536
Total event entries = 753
Date Time Module Level Type Description
2014-01-20 18:58:55 system info 00536 IKE<office1IP> Phase 1:
Retransmission limit has been reached.
2014-01-20 18:58:53 system info 00536 IKE<office1IP> Phase 2
negotiation request is already in the
task list.
2014-01-20 18:58:42 system info 00536 IKE<office1IP> Phase 2
negotiation request is already in the
task list.
2014-01-20 18:58:31 system info 00536 IKE<office1IP> Phase 2
negotiation request is already in the
task list.
2014-01-20 18:58:18 system info 00536 IKE<office1IP> Phase 2
negotiation request is already in the
task list.
2014-01-20 18:58:07 system info 00536 IKE<office2IP> >> <office1IP>
Phase 1: Initiated negotiations in
main mode.
2014-01-20 18:57:56 system info 00536 IKE<office1IP> Phase 1:
Retransmission limit has been reached.
2014-01-20 18:57:48 system info 00536 IKE<office1IP> Phase 2


----------

