SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

ADVPN Suggester Problems

  • 1.  ADVPN Suggester Problems

    Posted 16 days ago
    Hi,

    I'm wondering if anyone here has successfully used ADVPN?
    I have a case where hubs aren't sending suggestions to spokes, and therefore, spoke sites cannot forward traffic to other spoke sites.

    I have confirmed that the hub is the suggester, and the spokes are partners.
    I have confirmed IKEv2 is used.
    Hub/Spoke traffic is fine. Only Spoke/Spoke is a problem.

    Any suggestions on how to troubleshoot this?


    Hub:

    show security ike security-associations detail | match Suggest
    Type: Static, Local Capability: Suggester, Peer Capability: Partner
    Suggester Shortcut Suggestions Statistics:
    Suggestions sent : 0
    Suggestions accepted: 0
    Suggestions declined: 0


    Spoke:

    show security ike security-associations detail | match Suggest
    Type: Static, Local Capability: Partner, Peer Capability: Suggester
    Partner Shortcut Suggestions Statistics:
    Suggestions received: 0
    Suggestions accepted: 0
    Suggestions declined: 0



    Thanks


  • 2.  RE: ADVPN Suggester Problems

    Posted 15 days ago
    I ended up finding the solution.

    The suggestions are sent out only after the SRX sees that traffic is being routed back over the multipoint tunnel. When it sees this traffic, it sends the suggestion to the spokes so they can build a tunnel directly between each other.

    I wasn't seeing any suggestions, so then I realised that the SRX wasn't sending traffic back out the tunnel.

    The problem seems obvious in hindsight.
    The tunnel interface was in a zone called VPN. I needed to add a security policy to allows traffic within this zone. That is, traffic from VPN to VPN.
    Once this was enabled, the suggestions and shortcuts started working

    Hope this helps someone else out