SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Site to Site VPN Error

  • 1.  Site to Site VPN Error

    Posted 12-20-2018 21:19

    Hi,

    i had a site to site vpn connection between 2 sites until yesterday. Suddenly today i stopped working. In fw logs there seem to be no error. On the peer side, the only error is :

     

    "srx240-02a kmd[33482]: IKE Phase-1 Failure: Invalid cookie recvd [spi=^E)?^NM-^@??0, src_ip=<none>, dst_ip=50.208.33.177]"

     

    However, i could not find a solution related to that error message. While everything was working, today even the IKE phase seems to be down ?

     

    I feel desperate, anybody had this issue or any ideas appreciated 

     

    Thanks


    #cookie
    #ike
    #invalid
    #vpn


  • 2.  RE: Site to Site VPN Error

    Posted 12-21-2018 00:36

    Hi,

     

    What is the peer device ? Do you see any SA ( phase 1/2)  on any of the device, try clearing if any  ?

     

    What is the VPN config on both the devices ? And output of the IKE trceoptions ? should help.

     

    Thanks,

    Vikas



  • 3.  RE: Site to Site VPN Error

    Posted 12-21-2018 12:53

    The remote( 64.13.163.35)  and the local device ( 50.208.33.177) are both srx240 .. I tried to clear but did not work.. I am also adding the config and trace output.

     

    One question, how can I be sure that my static IP( 50.208.33.177 which is assigned to external interface)  still functional ?

     

    Thanks

    Attachment(s)

    docx
    IKETrace.docx   22 KB 1 version


  • 4.  RE: Site to Site VPN Error

    Posted 12-21-2018 18:29
    Hi,

    In hq config, please try configuring remote-identity.

    gateway hq
    ike-policy hq;
    address
    local-identity hostname srx240-02.prod.comp.com;

    Thanks,
    Vikas


  • 5.  RE: Site to Site VPN Error

     
    Posted 12-21-2018 21:02

    Can you share below outputs from SRX.

     

    From Local:
    show interfaces terse ge-0/0/0.0
    show route 64.13.163.35

    From remote:
    show interfaces terse reth0.1298
    show route 50.208.33.177

    Questions:
    1. Any particular reason for specifying the local/remote identities separately with Main mode? If no can you remove that from both sides?
    2. There is no st0 configured on the remote side, can you add that ?



  • 6.  RE: Site to Site VPN Error

    Posted 12-22-2018 11:14

    @  , yes the only error i could capture is from kmd-logs

     

    @

     

    >>show interfaces terse ge-0/0/0.0  

    Interface               Admin Link Proto    Local                 Remote

    ge-0/0/0.0              up    up   inet     50.208.33.177/29

     

     

    >>show route 64.13.163.35

     

    inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    0.0.0.0/0          *[Static/5] 18:25:44

                        > to 50.208.33.182 via ge-0/0/0.0

     

     

    REMOTE :

     

    >> show interfaces terse reth0.1298

    Interface               Admin Link Proto    Local                 Remote

    reth0.1298              up    up   inet     64.13.163.35/26

                                                64.13.163.36/26

                                                64.13.163.37/26

                                                64.13.163.38/26

                                                64.13.163.39/26

                                                64.13.163.40/26

                                                64.13.163.41/26

                                                64.13.163.42/26

                                                64.13.163.43/26

                                                64.13.163.44/26

    >> show route 50.208.33.177

     

    inet.0: 88 destinations, 129 routes (88 active, 0 holddown, 0 hidden)

    + = Active Route, - = Last Active, * = Both

     

    0.0.0.0/0          *[Static/5] 1w4d 16:11:29

                        > to 64.13.163.1 via reth0.1298



  • 7.  RE: Site to Site VPN Error
    Best Answer

     
    Posted 12-22-2018 20:06

    The config looks good with reference to the routes/interfaces you have shared. I belive adding the st0 on remote side and removing the local-id/remote-id confg should fix the issue.

     



  • 8.  RE: Site to Site VPN Error

    Posted 12-26-2018 13:13

    @Suraj, thanks that worked fine but i didnt understand why ? it was already working with this current config for a few months

     

    Thank you very much, i really appreciate it



  • 9.  RE: Site to Site VPN Error

     
    Posted 12-31-2018 20:35

    AFAIK, route based VPN cannot work without st0 binding. I belive some one would have made these changes recently.



  • 10.  RE: Site to Site VPN Error

    Posted 12-21-2018 03:17

    You can walk through these steps to check the phase 1 and phase 2 connections on the vpn.  Post output from the steps where you have trouble interpreting what to do as the next phase.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

     



  • 11.  RE: Site to Site VPN Error

    Posted 12-21-2018 12:48

    Hi,

    thanks for the replies

    I am stuck at the 4th step, because it says to  analyze the IKE phase 1 messages but the only message i can find is the above one which I can not anything related with it .

     

     



  • 12.  RE: Site to Site VPN Error

    Posted 12-21-2018 16:49

    Were you able to create the special log file to capture the ike messages specifically as outlined here.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10097

     

    This saves the related log messages to the kmd-logs file for review.