SRX

Expand all | Collapse all

icmp type 3 code 3 port unreachable when trying to connect to ike (port 500) on SRX

  • 1.  icmp type 3 code 3 port unreachable when trying to connect to ike (port 500) on SRX

    Posted 08-16-2017 23:39

     

    There is an IPSEC tunnel from a SRX240H2 to a Sophos UTM 9.

     

    The tunnel is up most of the time but goes ocassionally down. And I wonder if the following could be related to the problem.

     

    Sometimes, when the Sophos appliance sends this (from capture on the SRX):

     

    Frame 10273: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)

    Juniper Ethernet

    Ethernet II, Src: Cisco_xx.xx.xx (30:e4:db:xx.xx.xx), Dst: Netscreen_xx.xx.xx (00:10:db:xx.xx.xx)

    Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1

        0100 .... = Version: 4

        .... 0101 = Header Length: 20 bytes (5)

        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

            0000 00.. = Differentiated Services Codepoint: Default (0)

            .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

        Total Length: 284

        Identification: 0xffe2 (65506)

        Flags: 0x02 (Don't Fragment)

            0... .... = Reserved bit: Not set

            .1.. .... = Don't fragment: Set

            ..0. .... = More fragments: Not set

        Fragment offset: 0

        Time to live: 57

        Protocol: UDP (17)

        Header checksum: 0x15b1 [validation disabled]

        [Header checksum status: Unverified]

        Source: 2.2.2.2

        Destination: 1.1.1.1

        [Source GeoIP: Unknown]

        [Destination GeoIP: Unknown]

    User Datagram Protocol, Src Port: 500, Dst Port: 500

    Internet Security Association and Key Management Protocol

        Initiator SPI: 91ee52a313c081d6

        Responder SPI: 0000000000000000

        Next payload: Security Association (1)

        Version: 1.0

        Exchange type: Identity Protection (Main Mode) (2)

        Flags: 0x00

            .... ...0 = Encryption: Not encrypted

            .... ..0. = Commit: No commit

            .... .0.. = Authentication: No authentication

        Message ID: 0x00000000

        Length: 256

        Payload: Security Association (1)

        Payload: Vendor ID (13) : strongSwan

        Payload: Vendor ID (13) : CISCO-UNITY 1.0

        Payload: Vendor ID (13) : XAUTH

        Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)

        Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE

        Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03

        Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02

        Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n

        Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00

                   

    On which the SRX replies with:

     

    Frame 9556: 82 bytes on wire (656 bits), 82 bytes captured (656 bits)

        Encapsulation type: Juniper Ethernet (83)

        Arrival Time: Aug 16, 2017 17:06:23.437218000 W. Europe Summer Time

        [Time shift for this packet: 0.000000000 seconds]

        Epoch Time: 1502895983.437218000 seconds

        [Time delta from previous captured frame: 4.929784000 seconds]

        [Time delta from previous displayed frame: 4.929784000 seconds]

        [Time since reference or first frame: 7807.792775000 seconds]

        Frame Number: 9556

        Frame Length: 82 bytes (656 bits)

        Capture Length: 82 bytes (656 bits)

        [Frame is marked: False]

        [Frame is ignored: False]

        [Protocols in frame: juniper:eth:ethertype:ip:icmp:ip:udp]

        [Coloring Rule Name: ICMP errors]

        [Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]

    Juniper Ethernet

        Magic Number: 0x4d4743

        Direction: Unknown (0x80)

        L2 header presence: Present (0x00)

        Extension(s) Total length: 6

        [Payload Type: Ethernet (204)]

    Ethernet II, Src: Netscreen_xx:xx:xx (00:10:db:xx:xx:xx), Dst: Cisco_xx:xx:xx (30:e4:db:xx:xx:xx)

        Destination: Cisco_xx:xx:xx (30:e4:db:xx:xx:xx)

        Source: Netscreen_xx:xx:xx (00:10:db:xx:xx:xx)

        Type: IPv4 (0x0800)

    Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2

        0100 .... = Version: 4

        .... 0101 = Header Length: 20 bytes (5)

        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

        Total Length: 56

        Identification: 0xfbe5 (64485)

        Flags: 0x00

        Fragment offset: 0

        Time to live: 254

        Protocol: ICMP (1)

        Header checksum: 0x95a1 [validation disabled]

        [Header checksum status: Unverified]

        Source: 1.1.1.1

        Destination: 2.2.2.2

        [Source GeoIP: Unknown]

        [Destination GeoIP: Unknown]

    Internet Control Message Protocol

        Type: 3 (Destination unreachable)

        Code: 3 (Port unreachable)

        Checksum: 0x8c0c [correct]

        [Checksum Status: Good]

        Unused: 00000000

        Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1

            0100 .... = Version: 4

            .... 0101 = Header Length: 20 bytes (5)

            Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

            Total Length: 284

            Identification: 0x2592 (9618)

            Flags: 0x02 (Don't Fragment)

            Fragment offset: 0

            Time to live: 57

            Protocol: UDP (17)

            Header checksum: 0xf001 [validation disabled]

            [Header checksum status: Unverified]

            Source: 2.2.2.2

            Destination: 1.1.1.1

            [Source GeoIP: Unknown]

            [Destination GeoIP: Unknown]

        User Datagram Protocol, Src Port: 500, Dst Port: 500

            Source Port: 500

            Destination Port: 500

            Length: 264

            Checksum: 0x6c00 [unverified]

            [Checksum Status: Unverified]

            [Stream index: 0]

                                  

     

     

    Does someone have a clue what could cause this?

    And how I can solve this?

    If you need more information, let me know.

     

    Thanks!

     

    - Jac

     

                   



  • 2.  RE: icmp type 3 code 3 port unreachable when trying to connect to ike (port 500) on SRX

     
    Posted 08-16-2017 23:48
    Do you have "ike" enabled under " host-inbound-traffic system-services" ?


  • 3.  RE: icmp type 3 code 3 port unreachable when trying to connect to ike (port 500) on SRX

    Posted 08-18-2017 00:08

    Yes, all system services are allowed to the zone.

    And the reply is one a series of replies like this to to a sequence of packages as the one above from this tunnel connection. But the tunnel goes only down occasionally. And this does not happen with other tunnels on the same device, they keep working.
    The device is a SRX 240H2 in a cluster with most recent firmware (Version 12.3X48-D50.6 (2017-05)) .
     
    - Jac



  • 4.  RE: icmp type 3 code 3 port unreachable when trying to connect to ike (port 500) on SRX

    Posted 02-13-2018 14:22

    I am having similar issue. Did you find the solution for this problem yet ?