i had a site to site vpn connection between 2 sites until yesterday. Suddenly today i stopped working. In fw logs there seem to be no error. On the peer side, the only error is :
"srx240-02a kmd: IKE Phase-1 Failure: Invalid cookie recvd [spi=^E)?^NM-^@??0, src_ip=<none>, dst_ip=188.8.131.52]"
However, i could not find a solution related to that error message. While everything was working, today even the IKE phase seems to be down ?
I feel desperate, anybody had this issue or any ideas appreciated
What is the peer device ? Do you see any SA ( phase 1/2) on any of the device, try clearing if any ?
What is the VPN config on both the devices ? And output of the IKE trceoptions ? should help.
The remote( 184.108.40.206) and the local device ( 220.127.116.11) are both srx240 .. I tried to clear but did not work.. I am also adding the config and trace output.
One question, how can I be sure that my static IP( 18.104.22.168 which is assigned to external interface) still functional ?
Can you share below outputs from SRX.
From Local:show interfaces terse ge-0/0/0.0show route 22.214.171.124From remote:show interfaces terse reth0.1298show route 126.96.36.199Questions:1. Any particular reason for specifying the local/remote identities separately with Main mode? If no can you remove that from both sides?2. There is no st0 configured on the remote side, can you add that ?
@spuluka , yes the only error i could capture is from kmd-logs
@vikassingh , thanks but that did not work either
@rsuraj, here are the input , what is suprising to me is I can not ping the local interface from remote site, however i can ping the remote site from local. There s not a specific reason for that.. The remote site was already configured before someone else and the local site is configured by me a few months ago... I will try that and let you know if works
>>show interfaces terse ge-0/0/0.0
Interface Admin Link Proto Local Remote
ge-0/0/0.0 up up inet 188.8.131.52/29
>>show route 184.108.40.206
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 18:25:44
> to 220.127.116.11 via ge-0/0/0.0
>> show interfaces terse reth0.1298
reth0.1298 up up inet 18.104.22.168/26
>> show route 22.214.171.124
inet.0: 88 destinations, 129 routes (88 active, 0 holddown, 0 hidden)
0.0.0.0/0 *[Static/5] 1w4d 16:11:29
> to 126.96.36.199 via reth0.1298
The config looks good with reference to the routes/interfaces you have shared. I belive adding the st0 on remote side and removing the local-id/remote-id confg should fix the issue.
@Suraj, thanks that worked fine but i didnt understand why ? it was already working with this current config for a few months
Thank you very much, i really appreciate it
AFAIK, route based VPN cannot work without st0 binding. I belive some one would have made these changes recently.
You can walk through these steps to check the phase 1 and phase 2 connections on the vpn. Post output from the steps where you have trouble interpreting what to do as the next phase.
thanks for the replies
I am stuck at the 4th step, because it says to analyze the IKE phase 1 messages but the only message i can find is the above one which I can not anything related with it .
Were you able to create the special log file to capture the ike messages specifically as outlined here.
This saves the related log messages to the kmd-logs file for review.