SRX

Expand all | Collapse all

VPN Issue: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch

  • 1.  VPN Issue: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch

    Posted 06-05-2019 09:07

     


    We have a IPsec site-to-site VPN from a SRX300 to SRX340. The VPN connection is working but after x hours (24 to 48 , a week sometimes) the VPN got dropped and the only way to get it back up is restarting that SRX300.

     

    I have checked the logs the SRX300 device and I found the following error logs in the kmd-logs:
     

    Jun  5 07:16:21  SRX300-Remote_SITE kmd[10477]: KMD_PM_SA_ESTABLISHED: Local gateway: LOCAL_IP, Remote gateway: REMOTE_IP, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x81744d2f, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
    Jun  5 07:16:21  SRX300-Remote_SITE kmd[10477]: KMD_VPN_UP_ALARM_USER: VPN VPN_POLICY from REMOTE_IP is up. Local-ip: LOCAL_IP, gateway name: GW_at_HQ, vpn name: VPN_POLICY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 192.168.254.250, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
    Jun  5 07:16:21  SRX300-Remote_SITE kmd[10477]: IKE negotiation successfully completed. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Role: Initiator
    Jun  5 07:18:19  SRX300-Remote_SITE kmd[10477]: KMD_VPN_DOWN_ALARM_USER: VPN VPN_POLICY from REMOTE_IP is down. Local-ip: LOCAL_IP, gateway name: GW_at_HQ, vpn name: VPN_POLICY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 192.168.254.250, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared
    Jun  5 07:18:29  SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
    Jun  5 07:18:29  SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(),  Peer Proposed traffic-selector remote-ip: none()
    Jun  5 07:18:39  SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(),  Peer Proposed traffic-selector remote-ip: none()
    Jun  5 07:18:39  SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
    Jun  5 07:18:49  SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(),  Peer Proposed traffic-selector remote-ip: none()
    Jun  5 07:18:49  SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
    Jun  5 07:18:59  SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(),  Peer Proposed traffic-selector remote-ip: none()
    Jun  5 07:18:59  SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
    Jun  5 07:19:02  SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
    Jun  5 07:19:02  SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(),  Peer Proposed traffic-selector remote-ip: none()
    Jun  5 07:19:09  SRX300-Remote_SITE kmd[10477]: IPSec negotiation failed with error: TS unacceptable. IKE Version: 2, VPN: VPN_POLICY Gateway: GW_at_HQ, Local: LOCAL_IP/4500, Remote: REMOTE_IP/4500, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID
    Jun  5 07:19:09  SRX300-Remote_SITE kmd[10477]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: VPN_POLICY, Peer Proposed traffic-selector local-ip: none(),  Peer Proposed traffic-selector remote-ip: none()

     

    My SRX300 config is:

    ike:
    proposal IKE_PROPOSAL_RSA {
        authentication-method rsa-signatures;
        dh-group group20;
        encryption-algorithm aes-256-gcm;
    }
    policy IKE_POLICY_RSA {
        mode main;
        proposals IKE_PROPOSAL_RSA;
        certificate {
            local-certificate Cert_Remote_SITE;
            peer-certificate-type x509-signature;
        }
    }
    gateway GW_at_HQ {
        ike-policy IKE_POLICY_RSA;
        address REMOTE_IP;
        local-identity distinguished-name;
        remote-identity distinguished-name;
        external-interface ge-0/0/0.0;
        version v2-only;
    }

    ipsec:
    policy IPSEC_POLICY {
        perfect-forward-secrecy {
            keys group20;
        }
        proposal-set suiteb-gcm-256;
    }
    vpn VPN_POLICY {
        bind-interface st0.0;
        vpn-monitor {
            optimized;
            destination-ip 192.168.254.250;
        }
        ike {
            gateway GW_at_HQ;
            ipsec-policy IPSEC_POLICY;
        }
        establish-tunnels immediately;
    }

     

    My SRX340 config is:
    set security ike gateway GW_SRX300 ike-policy IKE_POLICY_RSA
    set security ike gateway GW_SRX300 address Remote_Site_Public_IP
    set security ike gateway GW_SRX300 local-identity distinguished-name
    set security ike gateway GW_SRX300 remote-identity distinguished-name wildcard OU=SRX_VPN
    set security ike gateway GW_SRX300 external-interface reth0.0
    set security ike gateway GW_SRX300 version v2-only
    set security ipsec vpn VPN_SRX300 bind-interface st0.0
    set security ipsec vpn VPN_SRX300 vpn-monitor optimized
    set security ipsec vpn VPN_SRX300 vpn-monitor destination-ip 192.168.254.27
    set security ipsec vpn VPN_SRX300 ike gateway GW_SRX300
    set security ipsec vpn VPN_SRX300 ike ipsec-policy IPSEC_POLICY
    set security ipsec vpn VPN_SRX300 establish-tunnels immediately

     



  • 2.  RE: VPN Issue: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch

    Posted 06-05-2019 16:56

    I would say start looking from this error propective. The VPN tunnel going down due to VPN monitoring.

     

    Jun  5 07:18:19  SRX300-Remote_SITE kmd[10477]: KMD_VPN_DOWN_ALARM_USER: VPN VPN_POLICY from REMOTE_IP is down. Local-ip: LOCAL_IP, gateway name: GW_at_HQ, vpn name: VPN_POLICY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 192.168.254.250, Local IKE-ID: Local_IKE-ID, Remote IKE-ID: Remote_IKE-ID, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: VPN monitoring detected tunnel as down. Existing IPSec SAs cleared

     

    As per your configuration the VPN monitor option is configure as optimized. 

     

    The VPN monitoring optimized option sends pings only when there is outgoing traffic and no incoming traffic through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the security device considers the tunnel to be active and does not send pings to the peer. Configuring the optimized option can save resources on the security device because pings are only sent when peer liveliness needs to be determined. Sending pings can also activate costly backup links that would otherwise not be used.

     

    Try removing Optimized option or removing VPN monitoring altogather. 



  • 3.  RE: VPN Issue: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch

     
    Posted 06-05-2019 19:58

    Hi,

     

    Shortly after the VPN monitoring failure it complains about a TS unacceptable. I am sure these are symptoms related to a common problem.

     

    > Could you share the ipsec config from the SRX340 side as well?

    > Since you are montoring just the tunnel endpoints, VPN monitor does not provide a lot of benefit

    > I would either try what was mentioned in the earlier post or remove VPN-monitoring completely to check if the problem is because of VPN monitor

    > I am assuming reboot of the SRX300 is switching the Initiator responder role which may be bringing the VPN up

    > Have you tried clearing the SAs on the SRX300 side to see if it fixes the issue - clear security ike sa

     

    Regards,

     

    Vikas

     

    Regards,

     

    Vikas



  • 4.  RE: VPN Issue: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch

    Posted 06-22-2019 13:30

    Hello,

     

    You are using IKEv2 only, as per tech docs this is not supported with VPN monitoring

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-vpns-for-ikev2.html

     

    IKEv2 does not support the following features:

    • Policy-based VPN.

    • Dialup tunnels.

    • VPN monitoring.

    • Multiple child SAs for the same traffic selectors for each QoS value.

    • IP Payload Compression Protocol (IPComp).

    Thats the reason, you need to remove vpn-monitoring or change it to IKEv1(if possible).

     

     

    Thanks

    Mahesh



  • 5.  RE: VPN Issue: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch

    Posted 06-22-2019 13:39

    You can use dead peer detection, if monitoring the tunnel is necessary.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21652&cat=IPSEC&actp=LIST

     

     

    Thanks

    Mahesh