SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX300 - only one side can initiate a tunnel - no traffic passes

    Posted 09-18-2021 20:08
      |   view attached
    I have (3) SRX300 configured as follows

    salesoffice 2.2.2.210  ----------- main office 1.1.1.98--------mfg

    the vpn comes up and runs fine between main office and mfg  (no need for a connection between mfg and salesoffice)

    If I ping an address inside the sales office from the main office, the tunnel comes up, but no traffic passes

    if I ping an address inside the main office from the sales office -the tunnel does not come up

    so I suspect something with sales office

    There is some port forwarding for some cameras in the sales office, and I tried removing all of them, but that made no difference.

    with the tunnel up I execute:

    root@gw-salesoffice> show interfaces st0.1
    Logical interface st0.1 (Index 85) (SNMP ifIndex 537)
    Description: MAINOFFICE
    Flags: Up Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0     <---this number remains zero
    Output packets: 30041   <----this number keeps increasing
    Security: Zone: VPN-MAINOFFICE
    Protocol inet, MTU: 9192
    Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
    Flags: Sendbcast-pkt-to-re

    root@gw-salesoffice> show security ipsec sa
    Total active tunnels: 1 Total Ipsec sas: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    <131073 ESP:3des/sha1 d353431f 1580/ unlim - root 500 1.1.1.98
    >131073 ESP:3des/sha1 76227064 1580/ unlim - root 500 1.1.1.98

    root@gw-salesoffice> show security ike sa
    Index State Initiator cookie Responder cookie Mode Remote Address
    5053348 UP 7bececc62e99e103 b14e3b13e40d1e3d Main 1.1.1.98

    I have compared the configuration to the configuration at mfg (the third SRX300) and excluding the IP addresses, everything is the same.

    I am at a loss where to go from here! Can someone make a suggestion?








    Attachment(s)

    txt
    gw-sales.txt   13 KB 1 version


  • 2.  RE: SRX300 - only one side can initiate a tunnel - no traffic passes

    Posted 09-19-2021 11:49
    Resolved this on my own. Rebooting the problem SRX magically fixed the problem.