SRX

SRX 345 running JUNOS 15.1X49-D130.6

New system with two route-based VPNs configured. The static routes disappear when IKE / IPSec are active. When IKE / IPSec are deactivated the static routes disappear.

Here are the route statements:

set routing-options static route 0.0.0.0/0 next-hop 99.99.99.150
set routing-options static route 90.90.90.40/32 next-hop st0.5555

Show routes:

superit@my345srx> show route 90.90.90.40

inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w3d 20:35:39
> to 99.99.99.150 via ge-0/0/7.0 < - - - WRONG

superit@my345srx> edit
Entering configuration mode

[edit]
superit@my345srx# deactivate security ipsec vpn ipsec-vpn-system

[edit]
superit@my345srx# deactivate security ike gateway ike-gw-system

[edit]
superit@my345srx# commit
commit complete

[edit]
superit@my345srx# exit
Exiting configuration mode

superit@my345srx> show route 90.90.90.40

inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

90.90.90.40/32 *[Static/5] 00:02:15
> via st0.5555 < - - - CORRECT WHILE IKE AND IPSEC VPN DEACTIVATED.

superit@my345srx> edit
Entering configuration mode

[edit]
superit@my345srx# activate security ike gateway ike-gw-system

[edit]
superit@my345srx# activate security ipsec vpn ipsec-vpn-system

[edit]
superit@my345srx# commit
commit complete

[edit]
superit@my345srx# exit
Exiting configuration mode

superit@my345srx> show route 90.90.90.40 < - - - THIS COMMAND WAS RUN WITHIN A FEW SECONDS of EXITING CONFIG MODE.

inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

90.90.90.40/32 *[Static/5] 00:03:43
> via st0.5555 < - - - CORRECT

superit@my345srx>

superit@my345srx> show route 90.90.90.40 < - - - THIS COMMAND WAS RUN ABOUT 20 to 30 SECONDS AFTER LAST COMMNAD. THE ROUTE CHANGED!

inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w3d 20:53:29
> to 99.99.99.150 via ge-0/0/7.0 < - - - WRONG

The route will be active as long as the tunnel interface next hop is up.  Typically this is all the time regardless of the vpn status.  But this can be overridden with RPM test probes to down the st0 interface when the tunnel is down.  I suspect that may be configured on your device.

Look for configuration under:

services > rpm

services > ip-monitoring

I don't see anything configured.

superit@my345srx> show services rpm ?
Possible completions:
active-servers Show configured servers
history-results Show history results
probe-results Show probe results
twamp Show TWAMP information

superit@my345srx> show services rpm active-servers

superit@my345srx> show services rpm history-results

superit@my345srx> show services rpm probe-results

superit@my345srx> show services rpm twamp server

superit@my345srx> show services rpm twamp client

superit@my345srx> show service ip-monitoring status

superit@my345srx> show configuration | display set | match rpm

superit@my345srx> show configuration | display set | match ip-monitoring

superit@my345srx>

Have you maybe configured traffic selectors? If yes then please delete static route as it is added automatically.

Can you share vpn part of the config?

Regards, Wojtek

Yes, I obfuscated some of the data. I included the only two VPNs I have setup.

Routes are using default route (which is incorrect):

superit@my345srx> show route 66.n.n.n

inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w6d 13:46:30
> to 45.z.z.z via ge-0/0/7.0

superit@my345srx> show route 10.y.y.y

inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w6d 13:47:06
> to 45.z.z.z via ge-0/0/7.0

## Interface assignments:
set interfaces ge-0/0/6 unit 0 family inet address 45.z.z.z-4/30
set interfaces ge-0/0/7 unit 0 family inet address 45.z.z.z-1/30
set interfaces st0 unit 1 family inet
set interfaces st0 unit 5555 family inet

## First VPN:

set security zones security-zone vpn-sec-zone interfaces st0.1

set routing-options static route 66.n.n.n/32 next-hop st0.1
set routing-options static route 66.n.n.n+1/32 next-hop st0.1

## Proposals
set security ike proposal ike-proposal-robot authentication-method pre-shared-keys
set security ike proposal ike-proposal-robot dh-group group2
set security ike proposal ike-proposal-robot authentication-algorithm sha1
set security ike proposal ike-proposal-robot encryption-algorithm 3des-cbc
set security ike proposal ike-proposal-robot lifetime-seconds 86400
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs protocol esp
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs authentication-algorithm hmac-sha1-96
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs encryption-algorithm 3des-cbc
set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs lifetime-seconds 86400

## Phase I
set security ike policy ike-policy-robot mode main
set security ike policy ike-policy-robot proposals ike-proposal-robot
set security ike policy ike-policy-robot pre-shared-key ascii-text "password-removed"
set security ike gateway ike-gateway-robot ike-policy ike-policy-robot
set security ike gateway ike-gateway-robot address 66.n.c.c
set security ike gateway ike-gateway-robot external-interface ge-0/0/7
set security ike gateway ike-gateway-robot version v1-only

## Phase II
set security ipsec policy ipsec-policy-robot proposals 3des-cbc-hmac-sha1-96-nopfs
set security ipsec vpn ipsec-vpn-robot-cfg bind-interface st0.1
set security ipsec vpn ipsec-vpn-robot-cfg vpn-monitor optimized
set security ipsec vpn ipsec-vpn-robot-cfg ike gateway ike-gateway-robot
set security ipsec vpn ipsec-vpn-robot-cfg ike ipsec-policy ipsec-policy-robot
set security ipsec vpn ipsec-vpn-robot-cfg establish-tunnels immediately

# Address book entries

set security address-book global address xmen-lab 45.e.e.e/32
set security address-book global address robot-0 66.n.n.n/32
set security address-book global address robot-1 66.n.n.n+1/32

## Policy-Inbound
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match source-address xmen-lab
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address robot-0
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address robot-1
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match application any
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy then permit
## Policy-Outbound
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address robot-0
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address robot-1
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match destination-address xmen-lab
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match application any
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy then permit

## Second VPN

set security zones security-zone vpn-sec-zone interfaces st0.5555
set routing-options static route 10.y.y.y/32 next-hop st0.5555

## Proposals
set security ike proposal ike-pro-dhg5-sha256-aes256 authentication-method pre-shared-keys
set security ike proposal ike-pro-dhg5-sha256-aes256 dh-group group5
set security ike proposal ike-pro-dhg5-sha256-aes256 authentication-algorithm sha-256
set security ike proposal ike-pro-dhg5-sha256-aes256 encryption-algorithm aes-256-cbc
set security ike proposal ike-pro-dhg5-sha256-aes256 lifetime-seconds 86400

set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs protocol esp
set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs encryption-algorithm aes-256-cbc
set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs lifetime-seconds 86400

## Phase I
set security ike policy ike-pol-x-robot mode main
set security ike policy ike-pol-x-robot proposals ike-pro-dhg5-sha256-aes256
set security ike policy ike-pol-x-robot pre-shared-key ascii-text "password-removed"
set security ike gateway ike-gw-x-robot ike-policy ike-pol-x-robot
set security ike gateway ike-gw-x-robot address 208.a.a.a
set security ike gateway ike-gw-x-robot external-interface ge-0/0/7

## Phase II
set security ipsec vpn-monitor-options interval 10
set security ipsec vpn-monitor-options threshold 10
set security ipsec policy ipsec-policy-x-robot proposals ipsecpro-sha1-96-aes256-nopfs
set security ipsec vpn ipsec-vpn-x-robot bind-interface st0.5555
set security ipsec vpn ipsec-vpn-x-robot vpn-monitor optimized
set security ipsec vpn ipsec-vpn-x-robot ike gateway ike-gw-x-robot
set security ipsec vpn ipsec-vpn-x-robot ike ipsec-policy ipsec-policy-x-robot
set security ipsec vpn ipsec-vpn-x-robot establish-tunnels immediately

## Address book
set security address-book global address xmen-lab 45.e.e.e/32
set security address-book global address x-robot-system 10.y.y.y/32

## Policy
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match source-address xmen-lab
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address x-robot-system
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match application any
set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy then permit

set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address x-robot-system
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match destination-address xmen-lab
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match application any
set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy then permit

I opened ticket with JTAC and they got me going. We removed vpn-monitor then added proxy-id for one VPN and traffic selector for second VPN. My static routes now appear correctly and VPNs are working.

Thanks for all the assistance.

What is the interface status of the tunnel st0.5555 when the route is withdrawn?

And the extensive output of that interface?

Typically I would expect the tunnel interface to be down for some reason for the route not to install.  The key will be finding out why the interface goes down.

Look for log messages about the interface too.

Do you see this happening even when you have traffic flowing via the VPN?

Anand