SRX

Expand all | Collapse all

IPSEC VPN Troubleshooting

Jump to Best Answer
  • 1.  IPSEC VPN Troubleshooting

    Posted 05-03-2017 22:33
      |   view attached

    Having trouble with this VPN, config is attached.  IKE appears to be up along with IPSEC:

     

    show security ike security-associations
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
    5592930 UP     4502a0161874bf61  d769db9a07cc0dc9  Main           6.1.1.85
    
    show security ipsec security-associations
    Total active tunnels: 1
    ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
    <131073 ESP:aes-256/sha256 5d58a0a5 129/ unlim - root 500   6.1.1.85
    >131073 ESP:aes-256/sha256 4ae220aa 129/ unlim - root 500   6.1.1.85
    <131073 ESP:aes-256/sha256 c8378713 1557/ unlim - root 500  6.1.1.85
    >131073 ESP:aes-256/sha256 4ae220ad 1557/ unlim - root 500  6.1.1.85

    Cannot ping across the tunnel from the local address 10.24.12.118 to the peer address 10.24.12.117 nor can we access resources on the other side.

     

    Traffic to the peer address appears to be egressing the interface created for the vpn st0.0:

     

    show route 10.24.12.117
    
    inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.24.12.116/30  *[Direct/0] 02:10:51
                        > via st0.0
    
    ISP1.inet.0: 15 destinations, 16 routes (14 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.24.12.116/30  *[Direct/0] 02:10:51
                        > via st0.0
    
    ISP2.inet.0: 13 destinations, 14 routes (12 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.24.12.116/30  *[Direct/0] 02:10:51
                        > via st0.0
    
    SERVER-Traffic.inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
    + = Active Route, - = Last Active, * = Both
    
    10.24.12.116/30  *[Direct/0] 02:10:51
                        > via st0.0

    Any help is greatly appreciated.

    Attachment(s)

    txt
    firewall_config.txt   21K 1 version


  • 2.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 22:53

    Hi,


    The other peer is SRX as well ?

    Try to open two sessions to the SRX , on one run ping to 10.24.12.117 , the second one run the 'show security flow sesssion destination-prefex 10.24.12.117' and attach the output . If the other side is SRX also , run the same command as well .

    Run the 'show route' on the other side .



  • 3.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 23:20

    Other side is not a SRX.  We do have other SRXs successfully connected and passing traffic to other firewall. 

     

    When they ping .118 from .117 I do not see the traffic show up.

     

    ping source 10.12.12.118 10.24.12.117
    
    monitor traffic interface st0.0 size 1500
    
    13:05:20.272371 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 0, length 64
    13:05:21.283020 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 1, length 64
    13:05:22.293573 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 2, length 64
    13:05:23.304082 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 3, length 64
    

    With the manner our routing and access lists are setup.  Do you see any reason incoming traffic over the VPN would be blocked or sent to another elsewhere?

     



  • 4.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 23:27

    Hi,

     

    Which vendor is the remote side. you should be able to see the Ipsec statistics somehow on that.

    please check the route back on the remote devise.

    flow session on the devise will also tell us whether the packet is received or not.

     

     

    regards,

    Guru Prasad

     

     



  • 5.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 23:10

    Hi,

     

    Please share the output of the show security flow session destination-prefix 10.24.12.117

    also on the other side run the same command for the destination ip.

    Show route output from the other side as well and also check the outputs of the below command on both the sides to see if the encryption and decryption are incrementing.

    show security ipsec statistic index 131073.

    if the other side is also an SRX then check the index number ofr this tunnel and then run the same command and replace the index number with the one that you see on the other side.

    this will tell us wether there is increment in encryption and decryptions happening on both the sides.

     

     

    regards,

    Guru Prasad



  • 6.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 23:28

     

    show security ipsec statistics index 131073
    
    ESP Statistics:
      Encrypted bytes:           406024
      Decrypted bytes:                0
      Encrypted packets:           2999
      Decrypted packets:              0
    AH Statistics:
      Input bytes:                    0
      Output bytes:                   0
      Input packets:                  0
      Output packets:                 0
    Errors:
      AH authentication failures: 0, Replay errors: 0
      ESP authentication failures: 0, ESP decryption failures: 0
      Bad headers: 0, Bad trailers: 0
    
    show security flow session destination-prefix 10.24.12.117
    Session ID: 8471, Policy name: self-traffic-policy/1, Timeout: 60, Valid
      In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp, If: .local..0, Pkts: 1, Bytes: 84
      Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp, If: st0.0, Pkts: 0, Bytes: 0
    
    show security flow session session-identifier 8471
    Session ID: 8471, Status: Normal
    Flag: 0x40
    Policy name: self-traffic-policy/1
    Source NAT pool: Null
    Maximum timeout: 60, Current timeout: 30
    Session State: Valid
    Start time: 11422631, Duration: 30
       In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp,
        Interface: .local..0,
        Session token: 0x2, Flag: 0x0x31
        Route: 0x580722, Gateway: 10.24.12.118, Tunnel: 0
        Port sequence: 0, FIN sequence: 0,
        FIN state: 0,
        Pkts: 1, Bytes: 84
       Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp,
        Interface: st0.0,
        Session token: 0x9, Flag: 0x0x20
        Route: 0x200010, Gateway: 10.24.12.116, Tunnel: 537001985
        Port sequence: 0, FIN sequence: 0,
        FIN state: 0,
        Pkts: 0, Bytes: 0
    Total sessions: 1

    Only time I see sessions is when I send pings across the tunnel.

     



  • 7.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 23:33

    Hi,

     

    From the output it is clear that the SRX is continuously encrypting the packets and is not receiving any reply from the remote side.

    Please check on the remote side as well and the ipsec statistics for the same and you should be seeing decryption continuosly increasing.

    if its a cisco devise, you can run the command

    show crypto ipsec sa (peer address)

     

     

    regards,

    Guru Prasad

     



  • 8.  RE: IPSEC VPN Troubleshooting

    Posted 05-03-2017 23:44

    Do you see anything in our config that would be causing this?



  • 9.  RE: IPSEC VPN Troubleshooting
    Best Answer

    Posted 05-03-2017 23:55

    Hi,

     

    Configuration looks good to me.

    Please check the remote side as well for any issues.

    Also upgrade the devise to atleast 12.1X46 code, you are running very old code.

     

     

     

    regards,

    Guru Prasad

     

     



  • 10.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 00:37
      |   view attached

    Attached are the kmd-logs, is it normal for phase1 to keep cycling so often?

    Attachment(s)

    txt
    kmd-logs.txt   4K 1 version


  • 11.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 09:00

    Is it normal for security flow traceoptions logs to have the "invalid session id 00000" entry?

     

    May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow9: Rate limit changed to 0
    May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow9: Destination ID set to 2
    May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow10: Rate limit changed to 0
    May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow10: Destination ID set to 2
    May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow11: Rate limit changed to 0
    May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow11: Destination ID set to 2
    May  4 23:07:23 23:07:23.661148:CID-0:RT:SPU invalid session id 00000000
    
    May  4 23:07:26 23:07:26.680953:CID-0:RT:SPU invalid session id 00000000
    
    May  4 23:07:30 23:07:29.984699:CID-0:RT:SPU invalid session id 00000000
    
    May  4 23:07:33 23:07:32.992140:CID-0:RT:SPU invalid session id 00000000

     

    set security flow traceoptions file DebugTraffic
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter MatchTraffic interface st0.0
    

     



  • 12.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 10:06

    Far end is a fortigate, not seeing packets through the tunnel

     

    1.1.1.142:0  selectors(total,up): 1/1  rx(pkt,err): 40/40  tx(pkt,err): 5/0


  • 13.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 10:31

    Hi,

     

    Not sure, but could you try to add this policy :

     

    set security policies from-zone corp-vpn to-zone corp-vpn policy intra match source-address any
    set security policies from-zone corp-vpn to-zone corp-vpn policy intra match destination-address any
    set security policies from-zone corp-vpn to-zone corp-vpn policy intra match application any
    set security policies from-zone corp-vpn to-zone corp-vpn policy intra then permit

    Also lets try capturing the traffic with wireshark if you don't mind to share the output:

     

    set forwarding-options packet-capture file filename packetcapture

    set firewall family inet filter CAPTURE term 1 from source-address 3.3.3.3/32
    set firewall family inet filter CAPTURE term 1 from destination-address 2.2.2.2/32
    set firewall family inet filter CAPTURE term 1 then sample
    set firewall family inet filter CAPTURE term 2 then accept

    set interfaces st0 unit 0 family inet filter CAPTURE

     

    after replicating the issue disable it :


    set forwarding-options packet-capture disable

    and share the output please .



  • 14.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 10:44

    No change after adding the security policy.  Will start packet capture momentarily.

     

    Thank you for the assistance.



  • 15.  RE: IPSEC VPN Troubleshooting

    Posted 05-05-2017 00:53

    Hi,

    Unfortunately packet captures are not supported on the ST0 interfaces.

    it will allow you to commit in 12.1X46 code however we have seen issues were it does not capture the traffic on ST0 interfaces.

     

    Regards,

    Guru Prasad

     



  • 16.  RE: IPSEC VPN Troubleshooting

    Posted 05-05-2017 03:46
    Glad to hear that the problem has been resolved !


  • 17.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 11:11

    This interface does not have inet filter as an option, see below.

    set interfaces st0 unit 0 family inet ?
    Possible completions:
      <[Enter]>            Execute this command
    > address              Interface address/destination prefix
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      mtu                  Protocol family maximum transmission unit
      negotiate-address    Negotiate address with remote
    > next-hop-tunnel      One or more next-hop tunnel tables
      no-neighbor-learn    Disable neighbor address learning on interface
    > sampling             Interface sampling
      |                    Pipe through a command


  • 18.  RE: IPSEC VPN Troubleshooting

    Posted 05-04-2017 17:45

    Upgraded to 12.1X46 and the peer addresss started pinging.  Thanks for the recommendation.