Error validating proxy netscreen stevo dating
I can't know for sure that this is the case with your configuration because you don't post the policies from the Juniper side, but this is the problem I've seen most often with symptoms similar to yours.
The easiest solution would be to modify the access-list on the ASA to match the policies on the Juniper firewall (with the caveat that it still needs to be "permit ip" instead of specifying L4 protocols, since you're specifying just the proxy ID).
I've generally setup site-to-site's on sonicwalls or junipers in homogenous environments.
This is the second juniper-mikeyb's suggestion to enable logging on the PIX seems to be pointing me in the right direction. I didn't know how to access the logs, so I was just going by the Juniper's log. Aye, I've seen the same with other devices, but figured since it was documented by both Cisco and Juniper, it wouldn't be too hard.
However, given that UDP and ICMP are stateless, firewalls must create state information by examining packet contents and keeping close tabs on session timers.I believe I've configured the same on the PIX with: sysopt connection permit-ipsec crypto ipsec transform-set mytrans esp-3des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address nonat crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer netscreen_public_ip crypto map mymap 10 set transform-set mytrans crypto map mymap interface outside Crypto Map: "mymap" interfaces: Crypto Map "mymap" 10 ipsec-isakmp Peer = netscreen_public_ip access-list nonat; 1 elements access-list nonat line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0) Current peer: netscreen_public_ip Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): Y DH group: group2 Transform sets= PIX-FW1# Aha. That points me to "IPSEC(validate_transform_proposal): proxy identities not supported", which seems to indicate I don't have my access-list policies set up completely right.