SRX

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  ADVPN Suggester Problems

    Posted 10-11-2021 05:43
    Hi,

    I'm wondering if anyone here has successfully used ADVPN?
    I have a case where hubs aren't sending suggestions to spokes, and therefore, spoke sites cannot forward traffic to other spoke sites.

    I have confirmed that the hub is the suggester, and the spokes are partners.
    I have confirmed IKEv2 is used.
    Hub/Spoke traffic is fine. Only Spoke/Spoke is a problem.

    Any suggestions on how to troubleshoot this?


    Hub:

    show security ike security-associations detail | match Suggest
    Type: Static, Local Capability: Suggester, Peer Capability: Partner
    Suggester Shortcut Suggestions Statistics:
    Suggestions sent : 0
    Suggestions accepted: 0
    Suggestions declined: 0


    Spoke:

    show security ike security-associations detail | match Suggest
    Type: Static, Local Capability: Partner, Peer Capability: Suggester
    Partner Shortcut Suggestions Statistics:
    Suggestions received: 0
    Suggestions accepted: 0
    Suggestions declined: 0



    Thanks


  • 2.  RE: ADVPN Suggester Problems

    Posted 10-11-2021 21:14
    I ended up finding the solution.

    The suggestions are sent out only after the SRX sees that traffic is being routed back over the multipoint tunnel. When it sees this traffic, it sends the suggestion to the spokes so they can build a tunnel directly between each other.

    I wasn't seeing any suggestions, so then I realised that the SRX wasn't sending traffic back out the tunnel.

    The problem seems obvious in hindsight.
    The tunnel interface was in a zone called VPN. I needed to add a security policy to allows traffic within this zone. That is, traffic from VPN to VPN.
    Once this was enabled, the suggestions and shortcuts started working

    Hope this helps someone else out