There is an IPSEC tunnel from a SRX240H2 to a Sophos UTM 9.
The tunnel is up most of the time but goes ocassionally down. And I wonder if the following could be related to the problem.
Sometimes, when the Sophos appliance sends this (from capture on the SRX):
Frame 10273: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Juniper Ethernet
Ethernet II, Src: Cisco_xx.xx.xx (30:e4:db:xx.xx.xx), Dst: Netscreen_xx.xx.xx (00:10:db:xx.xx.xx)
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 284
Identification: 0xffe2 (65506)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 57
Protocol: UDP (17)
Header checksum: 0x15b1 [validation disabled]
[Header checksum status: Unverified]
Source: 2.2.2.2
Destination: 1.1.1.1
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
Initiator SPI: 91ee52a313c081d6
Responder SPI: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 256
Payload: Security Association (1)
Payload: Vendor ID (13) : strongSwan
Payload: Vendor ID (13) : CISCO-UNITY 1.0
Payload: Vendor ID (13) : XAUTH
Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00
On which the SRX replies with:
Frame 9556: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)
Encapsulation type: Juniper Ethernet (83)
Arrival Time: Aug 16, 2017 17:06:23.437218000 W. Europe Summer Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1502895983.437218000 seconds
[Time delta from previous captured frame: 4.929784000 seconds]
[Time delta from previous displayed frame: 4.929784000 seconds]
[Time since reference or first frame: 7807.792775000 seconds]
Frame Number: 9556
Frame Length: 82 bytes (656 bits)
Capture Length: 82 bytes (656 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: juniper:eth:ethertype:ip:icmp:ip:udp]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Juniper Ethernet
Magic Number: 0x4d4743
Direction: Unknown (0x80)
L2 header presence: Present (0x00)
Extension(s) Total length: 6
[Payload Type: Ethernet (204)]
Ethernet II, Src: Netscreen_xx:xx:xx (00:10:db:xx:xx:xx), Dst: Cisco_xx:xx:xx (30:e4:db:xx:xx:xx)
Destination: Cisco_xx:xx:xx (30:e4:db:xx:xx:xx)
Source: Netscreen_xx:xx:xx (00:10:db:xx:xx:xx)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 56
Identification: 0xfbe5 (64485)
Flags: 0x00
Fragment offset: 0
Time to live: 254
Protocol: ICMP (1)
Header checksum: 0x95a1 [validation disabled]
[Header checksum status: Unverified]
Source: 1.1.1.1
Destination: 2.2.2.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0x8c0c [correct]
[Checksum Status: Good]
Unused: 00000000
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 284
Identification: 0x2592 (9618)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 57
Protocol: UDP (17)
Header checksum: 0xf001 [validation disabled]
[Header checksum status: Unverified]
Source: 2.2.2.2
Destination: 1.1.1.1
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 500, Dst Port: 500
Source Port: 500
Destination Port: 500
Length: 264
Checksum: 0x6c00 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
Does someone have a clue what could cause this?
And how I can solve this?
If you need more information, let me know.
Thanks!
- Jac