SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Site to Site VPN Error

Jump to Best Answer
  • 1.  Site to Site VPN Error

    Posted 12-20-2018 21:19

    Hi,

    i had a site to site vpn connection between 2 sites until yesterday. Suddenly today i stopped working. In fw logs there seem to be no error. On the peer side, the only error is :

     

    "srx240-02a kmd[33482]: IKE Phase-1 Failure: Invalid cookie recvd [spi=^E)?^NM-^@??0, src_ip=<none>, dst_ip=50.208.33.177]"

     

    However, i could not find a solution related to that error message. While everything was working, today even the IKE phase seems to be down ?

     

    I feel desperate, anybody had this issue or any ideas appreciated 

     

    Thanks


    #cookie
    #ike
    #invalid
    #vpn


  • 2.  RE: Site to Site VPN Error

    Posted 12-21-2018 00:36

    Hi,

     

    What is the peer device ? Do you see any SA ( phase 1/2)  on any of the device, try clearing if any  ?

     

    What is the VPN config on both the devices ? And output of the IKE trceoptions ? should help.

     

    Thanks,

    Vikas



  • 3.  RE: Site to Site VPN Error

    Posted 12-21-2018 12:53

    The remote( 64.13.163.35)  and the local device ( 50.208.33.177) are both srx240 .. I tried to clear but did not work.. I am also adding the config and trace output.

     

    One question, how can I be sure that my static IP( 50.208.33.177 which is assigned to external interface)  still functional ?

     

    Thanks

    Attachment(s)

    docx
    IKETrace.docx   22 KB 1 version


  • 4.  RE: Site to Site VPN Error

    Posted 12-21-2018 18:29
    Hi,

    In hq config, please try configuring remote-identity.

    gateway hq
    ike-policy hq;
    address
    local-identity hostname srx240-02.prod.comp.com;

    Thanks,
    Vikas


  • 5.  RE: Site to Site VPN Error

     
    Posted 12-21-2018 21:02

    Can you share below outputs from SRX.

     

    From Local:
    show interfaces terse ge-0/0/0.0
    show route 64.13.163.35

    From remote:
    show interfaces terse reth0.1298
    show route 50.208.33.177

    Questions:
    1. Any particular reason for specifying the local/remote identities separately with Main mode? If no can you remove that from both sides?
    2. There is no st0 configured on the remote side, can you add that ?



  • 6.  RE: Site to Site VPN Error

    Posted 12-22-2018 11:14

    @  , yes the only error i could capture is from kmd-logs

     

    @

     

    >>show interfaces terse ge-0/0/0.0  

    Interface               Admin Link Proto    Local                 Remote

    ge-0/0/0.0              up    up   inet     50.208.33.177/29

     

     

    >>show route 64.13.163.35

     

    inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    0.0.0.0/0          *[Static/5] 18:25:44

                        > to 50.208.33.182 via ge-0/0/0.0

     

     

    REMOTE :

     

    >> show interfaces terse reth0.1298

    Interface               Admin Link Proto    Local                 Remote

    reth0.1298              up    up   inet     64.13.163.35/26

                                                64.13.163.36/26

                                                64.13.163.37/26

                                                64.13.163.38/26

                                                64.13.163.39/26

                                                64.13.163.40/26

                                                64.13.163.41/26

                                                64.13.163.42/26

                                                64.13.163.43/26

                                                64.13.163.44/26

    >> show route 50.208.33.177

     

    inet.0: 88 destinations, 129 routes (88 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    0.0.0.0/0          *[Static/5] 1w4d 16:11:29

                        > to 64.13.163.1 via reth0.1298



  • 7.  RE: Site to Site VPN Error
    Best Answer

     
    Posted 12-22-2018 20:06

    The config looks good with reference to the routes/interfaces you have shared. I belive adding the st0 on remote side and removing the local-id/remote-id confg should fix the issue.

     



  • 8.  RE: Site to Site VPN Error

    Posted 12-26-2018 13:13

    @Suraj, thanks that worked fine but i didnt understand why ? it was already working with this current config for a few months

     

    Thank you very much, i really appreciate it



  • 9.  RE: Site to Site VPN Error

     
    Posted 12-31-2018 20:35

    AFAIK, route based VPN cannot work without st0 binding. I belive some one would have made these changes recently.



  • 10.  RE: Site to Site VPN Error

     
    Posted 12-21-2018 03:17

    You can walk through these steps to check the phase 1 and phase 2 connections on the vpn.  Post output from the steps where you have trouble interpreting what to do as the next phase.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

     



  • 11.  RE: Site to Site VPN Error

    Posted 12-21-2018 12:48

    Hi,

    thanks for the replies

    I am stuck at the 4th step, because it says to  analyze the IKE phase 1 messages but the only message i can find is the above one which I can not anything related with it .

     

     



  • 12.  RE: Site to Site VPN Error

     
    Posted 12-21-2018 16:49

    Were you able to create the special log file to capture the ike messages specifically as outlined here.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10097

     

    This saves the related log messages to the kmd-logs file for review.