SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX300 - only one side can initiate a tunnel - no traffic passes

    Posted 09-18-2021 20:08
      |   view attached
    I have (3) SRX300 configured as follows

    salesoffice 2.2.2.210  ----------- main office 1.1.1.98--------mfg

    the vpn comes up and runs fine between main office and mfg  (no need for a connection between mfg and salesoffice)

    If I ping an address inside the sales office from the main office, the tunnel comes up, but no traffic passes

    if I ping an address inside the main office from the sales office -the tunnel does not come up

    so I suspect something with sales office

    There is some port forwarding for some cameras in the sales office, and I tried removing all of them, but that made no difference.

    with the tunnel up I execute:

    root@gw-salesoffice> show interfaces st0.1
    Logical interface st0.1 (Index 85) (SNMP ifIndex 537)
    Description: MAINOFFICE
    Flags: Up Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 0     <---this number remains zero
    Output packets: 30041   <----this number keeps increasing
    Security: Zone: VPN-MAINOFFICE
    Protocol inet, MTU: 9192
    Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0, NH drop cnt: 0
    Flags: Sendbcast-pkt-to-re

    root@gw-salesoffice> show security ipsec sa
    Total active tunnels: 1 Total Ipsec sas: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    <131073 ESP:3des/sha1 d353431f 1580/ unlim - root 500 1.1.1.98
    >131073 ESP:3des/sha1 76227064 1580/ unlim - root 500 1.1.1.98

    root@gw-salesoffice> show security ike sa
    Index State Initiator cookie Responder cookie Mode Remote Address
    5053348 UP 7bececc62e99e103 b14e3b13e40d1e3d Main 1.1.1.98

    I have compared the configuration to the configuration at mfg (the third SRX300) and excluding the IP addresses, everything is the same.

    I am at a loss where to go from here! Can someone make a suggestion?








    Attachment(s)

    txt
    gw-sales.txt   13 KB 1 version


  • 2.  RE: SRX300 - only one side can initiate a tunnel - no traffic passes

    Posted 09-19-2021 11:49
    Resolved this on my own. Rebooting the problem SRX magically fixed the problem.