SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Access to remote VPN site over Dyn VPN

    Posted 02-04-2019 23:12
      |   view attached

    Hi All,

    I configured Dyn VPN and I can connect to my local resources but cannot access the resources on remote VPN site.

     

    I have two vpn sites : site A (172.16.4.0/24) and site B(10.36.4.0/24) both connected using route based policy .Clients ( gets IP from 192.168.239.0/24 pool)  can connect to  site A using Dyn VPN , however they cannot access vpn site B . Added both sites as protected resource for both site A and site B in dynamic vpn configuration . I have only two security zone in my juniper box (internal and internet).

    In flow logs, i can see these, but it look like i need to create a policy from Internet to Internet ???

     

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT:Doing DESTINATION addr route-lookup

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: routed (x_dst_ip 10.36.4.40) from Internet (ge-0/0/0.0 in 0) to st0.7, Next-hop: 10.36.4.40

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT:flow_first_policy_search: policy search from zone Internet-> zone Internet (0x0,0xd3240016,0x16)

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT:Policy lkup: vsys 0 zone(7:Internet) -> zone(7:Internet) scope:0

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: 192.168.239.3/54052 -> 10.36.4.40/22 proto 6

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: 192.168.239.3/54052 -> 10.36.4.40/22 proto 6

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: app 22, timeout 1800s, curr ageout 20s

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: packet dropped, denied by policy

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: denied by policy default-policy-00(2), dropping pkt

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: packet dropped, policy deny.

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: flow find session returns error.

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x50a4ee38 associated with mbuf 0x43568480

    Feb 5 03:46:35 03:46:35.403799:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)


    Feb 5 03:46:37 03:46:37.204307:CID-0:RT:jsf sess close notify

    Feb 5 03:46:37 03:46:37.204307:CID-0:RT:flow_ipv4_del_flow: sess 388946, in hash 32

     

    I would like to know what am i missing ?

    Thanks

     

     

    Attachment(s)

    docx
    DynVPN.docx   12 KB 1 version


  • 2.  RE: Access to remote VPN site over Dyn VPN

    Posted 02-04-2019 23:20

    Hi, vodexguy

     

    Can you share a "show interfaces terse" command?

     



  • 3.  RE: Access to remote VPN site over Dyn VPN
    Best Answer

    Posted 02-04-2019 23:25

    External interface (ge-0/0/0) and st.x interfaces are part of same zone "Internet". Since the traffic is coming from ge-0/0/0 and going out via st0.7 (same zone), you have to create a intra-zone policy (Internet to Internet) to allow the traffic.

     



  • 4.  RE: Access to remote VPN site over Dyn VPN

    Posted 02-05-2019 10:25

    Thanks for replying..Oh yes, it seemed odd to me to add a internet to internet policy, so that i learned that it is possoble.. i will try to create one.

    By the way here s the output of interfaces :

     

    Interface Admin Link Proto Local Remote
    ge-0/0/0 up up
    ge-0/0/0.0 up up inet 50.208.33.177/29
    gr-0/0/0 up up
    ip-0/0/0 up up
    lsq-0/0/0 up up
    lt-0/0/0 up up
    mt-0/0/0 up up
    sp-0/0/0 up up
    sp-0/0/0.0 up up inet
    sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
    10.0.0.6 --> 0/0
    128.0.0.1 --> 128.0.1.16
    128.0.0.6 --> 0/0
    ge-0/0/1 up up
    ge-0/0/1.0 up up inet 172.16.4.1/24
    ge-0/0/2 up down
    ge-0/0/3 up down
    ge-0/0/4 up down
    ge-0/0/4.0 up down inet
    ge-0/0/5 up down
    ge-0/0/6 up down
    ge-0/0/7 up down
    ge-0/0/8 up down
    ge-0/0/9 up down
    ge-0/0/10 up down
    ge-0/0/11 up down
    ge-0/0/12 up down
    ge-0/0/13 up down
    ge-0/0/14 up down
    ge-0/0/15 up down
    fxp2 up up
    fxp2.0 up up tnp 0x1
    gre up up
    ipip up up
    irb up up
    lo0 up up
    lo0.16384 up up inet 127.0.0.1 --> 0/0
    lo0.16385 up up inet 10.0.0.1 --> 0/0
    10.0.0.16 --> 0/0
    128.0.0.1 --> 0/0
    128.0.0.4 --> 0/0
    128.0.1.16 --> 0/0
    lo0.32768 up up
    lsi up up
    mtun up up
    pimd up up
    pime up up
    pp0 up up
    ppd0 up up
    ppe0 up up
    st0 up up
    st0.0 up up inet
    st0.1 up up inet
    inet6 fe80::e86:100f:fcdb:e640/64
    st0.2 up up inet
    st0.3 up down inet
    st0.4 up up inet
    st0.5 up up inet
    inet6 fe80::e86:100f:fcdb:e640/64
    st0.6 up up inet
    st0.7 up up inet
    st0.8 up up inet
    tap up up
    vlan up up