Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  The VPN is up, but I have no access on servers

    Posted 04-05-2017 14:35

    Hi!

     

    I just configure a site-to-site vpn. Both Phase 1 and Phase 2 are UP, but I can not access any servers.

    Does anyone have any tips to help me?

    TKS!

     

    Source network: 192.168.4.0/23

    Remote network: 10.2.18.0/23

    VPN_name: VPN_Finep_Site_to_Site

    VPN route-based 

     

    root@srx340> show security ike security-associations
    ^[[AIndex   State  Initiator cookie  Responder cookie  Mode           Remote Address
    5104053 UP     f73f644ad894a834  1bd361ed45a68500  Main           200.155.97.50

    root@srx340> show security ipsec security-associations
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
      <131073 ESP:aes-cbc-128/sha1 8aeba4fb 1402/ unlim - root 500 200.155.97.50
      >131073 ESP:aes-cbc-128/sha1 d3238517 1402/ unlim - root 500 200.155.97.50

     

    root@srx340> show route
    inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0          *[Static/5] 01:37:18
                        > to 177.19.201.113 via ge-0/0/0.0
                        [Static/7] 01:37:17
                        > to 201.48.222.193 via ge-0/0/1.0
    10.2.18.0/23       *[Static/5] 00:37:05
                        > via st0.0

     

    root@srx340> ping 10.2.18.1
    PING 10.2.18.1 (10.2.18.1): 56 data bytes

     

    ###############################################################################

    security {
        log {
            mode event;
        }
        ike {
            proposal VPN_Finep_Conf {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 86400;
            }
            proposal VPN_Ultra_Conf {
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 86400;
            }
            policy ike_pol_VPN_Finep_Site_to_Site {
                mode main;
                proposals VPN_Finep_Conf;
                pre-shared-key ascii-text "$9$ttaEOhyrlvX7VbsPQzF9CKMW8Ndbs2UikvM8X";
            }
            policy ike_pol_VPN_Ultra_Site_to_Site {
                mode main;
                proposals VPN_Ultra_Conf;
                pre-shared-key ascii-text "$9$YHg4JUDHmPTJZn/tpB1IRh";
            }
            gateway gw_VPN_Finep_Site_to_Site {
                ike-policy ike_pol_VPN_Finep_Site_to_Site;
                address 200.155.97.50;
                external-interface ge-0/0/0.0;
                version v1-only;
            }
            gateway gw_VPN_Ultra_Site_to_Site {
                ike-policy ike_pol_VPN_Ultra_Site_to_Site;
                address 177.67.61.243;
                external-interface ge-0/0/0.0;
                version v1-only;
            }
        }
        ipsec {
            proposal VPN_Finep_Conf_Fase_2 {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-128-cbc;
                lifetime-seconds 3600;
            }
            proposal VPN_Ultra_Conf_Fase_2 {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 3600;
            }
            policy ipsec_pol_VPN_Finep_Site_to_Site {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposals VPN_Finep_Conf_Fase_2;
            }
            policy ipsec_pol_VPN_Ultra_Site_to_Site {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposals VPN_Ultra_Conf_Fase_2;
            }
            vpn VPN_Finep_Site_to_Site {
                bind-interface st0.0;
                ike {
                    gateway gw_VPN_Finep_Site_to_Site;
                    proxy-identity {
                        local 192.168.4.0/23;
                        remote 10.2.18.0/23;
                        service any;
                    }
                    ipsec-policy ipsec_pol_VPN_Finep_Site_to_Site;
                }
                establish-tunnels immediately;
            }
            vpn VPN_Ultra_Site_to_Site {
                bind-interface st0.1;
                ike {
                    gateway gw_VPN_Ultra_Site_to_Site;
                    ipsec-policy ipsec_pol_VPN_Ultra_Site_to_Site;
                }
                establish-tunnels immediately;
            }
        }
        nat {
            source {
                pool 2 {
                    address {
                        192.168.58.40/30;
                    }
                }
                rule-set SNAT {
                    from zone [ Internal Rede_Visitante ];
                    to zone Internet;
                    rule 1 {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
                rule-set 2 {
                    from zone Internal;
                    to zone Internet;
                    rule 2 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address [ 172.20.62.0/23 172.20.120.51/32 172.20.120.62/32 172.20.120.73/32 ];
                        }
                        then {
                            source-nat {
                                pool {
                                    2;
                                }
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone Internal to-zone Internet {
                policy policy_out_VPN_Finep_Site_to_Site {
                    match {
                        source-address addr_192_168_4_0_23;
                        destination-address addr_10_2_18_0_23;
                        application any;
                        source-identity any;
                    }
                    then {
                        permit;
                    }
                }
                policy Acesso_Internet_Full {
                    match {
                        source-address [ PC_Daniel_Batista PC_Ricardo_Rodrigues PC_Vitor_Abdalla WLRPROXY PC_Daniel_Urbano PC_Bruno_Petroveski NOT_Bruno_Petroveski ];
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy Internal-to-Internet_Services {
                    match {
                        source-address any;
                        destination-address [ VPN_Metro VPN_Finep VPN_APEX VPN_Hemobras ];
                        application any;
                        source-identity any;
                    }
                    then {
                        permit;
                    }
                }
                policy Internal-to-Internet {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        deny;
                    }
                }
            }
            from-zone Rede_Visitante to-zone Internet {
                policy Acesso_Visitante {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                        source-identity any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internet to-zone Internal {
                policy policy_in_VPN_Finep_Site_to_Site {
                    match {
                        source-address addr_10_2_18_0_23;
                        destination-address addr_192_168_4_0_23;
                        application any;
                        source-identity any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Internal to-zone Internal {
                policy policy_out_VPN_Ultra_Site_to_Site {
                    match {
                        source-address addr_192_168_4_0_23;
                        destination-address [ addr_172_20_120_73_32 addr_172_20_120_62_32 addr_172_20_120_51_32 ];
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy policy_in_VPN_Ultra_Site_to_Site {
                    match {
                        source-address [ addr_172_20_120_73_32 addr_172_20_120_62_32 addr_172_20_120_51_32 ];
                        destination-address addr_192_168_4_0_23;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Internal {
                description "Rede Interna da Walar";
                address-book {
                    address PC_Daniel_Batista 192.168.4.184/32;
                    address PC_Ricardo_Rodrigues 192.168.5.107/32;
                    address PC_Vitor_Abdalla 192.168.4.228/32;
                    address PC_Bruno_Petroveski 192.168.4.109/32;
                    address WLRPROXY 192.168.5.8/32;
                    address PC_Daniel_Urbano 192.168.4.158/32;
                    address addr_192_168_58_40_30 192.168.58.40/30;
                    address NOT_Bruno_Petroveski 192.168.5.198/32;
                    address addr_192_168_4_0_23 192.168.4.0/23;
                    address addr_172_20_120_73_32 172.20.120.73/32;
                    address addr_172_20_120_62_32 172.20.120.62/32;
                    address addr_172_20_120_51_32 172.20.120.51/32;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/2.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                    st0.1;
                }
            }
            security-zone Internet {
                description Internet;
                address-book {
                    address VPN_Metro 200.144.30.90/32;
                    address VPN_Finep 200.155.97.50/32;
                    address VPN_APEX 200.0.35.212/32;
                    address VPN_Hemobras 177.52.19.227/32;
                    address addr_10_2_18_0_23 10.2.18.0/23;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                    ge-0/0/1.0;
                    st0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone Rede_Visitante {
                description "Rede para visitante - Internet";
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone untrust;
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 177.19.201.116/29;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 201.48.222.197/28;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 192.168.5.2/23;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                description "Rede Wifi Visitantes";
                family inet {
                    address 192.168.2.1/24;
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.1.1/24;
                }
            }
        }
        st0 {
            unit 0 {
                family inet;
            }
            unit 1 {
                family inet;
            }
        }
    }
    forwarding-options {
        packet-capture {
            disable;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 177.19.201.113;
                qualified-next-hop 201.48.222.193 {
                    preference 7;
                }
                preference 5;
            }
            route 10.2.18.0/23 next-hop st0.0;
            route 172.20.120.73/32 next-hop st0.1;
            route 172.20.120.62/32 next-hop st0.1;
            route 172.20.120.51/32 next-hop st0.1;
        }
    }



  • 2.  RE: The VPN is up, but I have no access on servers

    Posted 04-05-2017 17:38

    Hello, bruno300!

     

    I hope you're having a great week.Thanks for posting so much helpful information. I have a few recommendations. 

     

    First, run a continous ping to a server on the other side then run the following commands... I noted your ping has no source. Do you know what IP the SRX is sourcing the request from? You should attempt setting an explicit soure on the 192.168.4.0/23 network, such as a local interface within that network.

     

    Have you validated that you're seeing proper encaps and decaps on the tunnel?

     

    Identify the index for the tunnel you're troubleshooting. 

    show security ipsec security-associations brief

     

    Use the index to check the tunnel statistics.

    show security ipsec statistics index 131073
    ESP Statistics:
    Encrypted bytes: 153876
    Decrypted bytes: 116316
    Encrypted packets: 887
    Decrypted packets: 1139
    AH Statistics:
    Input bytes: 0
    Output bytes: 0
    Input packets: 0
    Output packets: 0
    Errors:
    AH authentication failures: 0, Replay errors: 0
    ESP authentication failures: 0, ESP decryption failures: 0
    Bad headers: 0, Bad trailers: 0

     Validate the Encrypted packets and Decrypted packets counters are incrementing together. Unfortunately, this can be less than reliable if you have other traffic over the tunnel. 

     

    Alternatively, setup flow traceoptions and upload the output here. Along with this, please verify the source and destination IP addresses. This will allow us to validate the packet is matching all proper policies, NATs, etc, and validate the VPN is handling it properly. Instructions for flow traceoptions are below.

     

    Configure the following and commit.

    set security flow traceoptions file tshoot-flow
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter PF1 source-prefix <source IP/netmask>
    set security flow traceoptions packet-filter PF1 destination-prefix <dest IP/netmask>
    set security flow traceoptions packet-filter PF2 source-prefix <destination IP/netmask>
    set security flow traceoptions packet-filter PF2 destination-prefix <source IP/netmask)

    Start a ping and periodically check the flow file with the following command:

    show log tshoot-flow

     If populated, disable the traceoption and upload the flow file here.

     

    Thanks so much!



  • 3.  RE: The VPN is up, but I have no access on servers

    Posted 04-06-2017 04:18

    Hi synackray!

    Thank you very much for the information. I performed all the procedures you reported. Unfortunately I am not a firewall expert and it's the first time I'm configuring a juniper equipment, so I could not understand the log that was generated.
    I am submitting all the procedures and the log that was generated.
    Thank you again!!

     

    #############################################

     

    root@srx340> ping source 192.168.5.2 10.2.18.1
    PING 10.2.18.1 (10.2.18.1): 56 data bytes
    --- 10.2.18.1 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss

    root@srx340> show security ipsec security-associations brief
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
      <131073 ESP:aes-cbc-128/sha1 33758b7f 2030/ unlim - root 500 200.155.97.50
      >131073 ESP:aes-cbc-128/sha1 d323853b 2030/ unlim - root 500 200.155.97.50

    root@srx340> show security ipsec statistics index 131073
    ESP Statistics:
      Encrypted bytes:          1522936
      Decrypted bytes:                0
      Encrypted packets:          10021
      Decrypted packets:              0
    AH Statistics:
      Input bytes:                    0
      Output bytes:                   0
      Input packets:                  0
      Output packets:                 0
    Errors:
      AH authentication failures: 0, Replay errors: 0
      ESP authentication failures: 0, ESP decryption failures: 0
      Bad headers: 0, Bad trailers: 0

    root@srx340> configure
    Entering configuration mode

    [edit]
    root@srx340# set security flow traceoptions file tshoot-flow

    [edit]
    root@srx340# set security flow traceoptions flag basic-datapath

    [edit]
    root@srx340# set security flow traceoptions packet-filter PF1 source-prefix 192.168.5.2/23

    [edit]
    root@srx340# set security flow traceoptions packet-filter PF1 destination-prefix 10.2.18.1/23

    [edit]
    root@srx340# set security flow traceoptions packet-filter PF2 source-prefix 192.168.5.2/23

    [edit]
    root@srx340# set security flow traceoptions packet-filter PF2 destination-prefix 10.2.18.1/23

    [edit]
    root@srx340# exit

     

    ############Executing ping to generate the log below#########


    root@srx340> show log tshoot-flow
    Apr  6 08:10:20 08:10:20.175882:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.5.2->10.2.18.1 nsp2 0.0.0.0->10.2.18.1.

    Apr  6 08:10:20 08:10:20.175882:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.5.2, x_dst_ip 10.2.18.1, in ifp .local..0, out ifp N/A sp 139, dp 5762, ip_proto 1, tos 0

    Apr  6 08:10:20 08:10:20.175912:CID-0:RT:Doing DESTINATION addr route-lookup

    Apr  6 08:10:20 08:10:20.175912:CID-0:RT:flow_ipv4_rt_lkup success 10.2.18.1, iifl 0x0, oifl 0x46

    Apr  6 08:10:20 08:10:20.175912:CID-0:RT:Checking in-ifp from .local..0 to ge-0/0/2.0 for src: 192.168.5.2 in vr_id:0

    Apr  6 08:10:20 08:10:20.175912:CID-0:RT:  routed (x_dst_ip 10.2.18.1) from junos-host (.local..0 in 0) to st0.0, Next-hop: 10.2.18.1

    Apr  6 08:10:20 08:10:20.175960:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone VPN (0x0,0x8b1682,0x1682)

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(11:VPN) scope:0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:             192.168.5.2/2048 -> 10.2.18.1/52867 proto 1

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  permitted by policy self-traffic-policy(1)

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  packet passed, Permitted by policy.

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_src_xlate:  incoming src port is : 139.

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  dip id = 0/0, 192.168.5.2/139->192.168.5.2/139 protocol 0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:(flow_first_get_tun_info) Valid IP, using IP from session

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  Doing IPSec traffic-selector match for  192.168.5.2 -> 10.2.18.1

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT: Found IPSec nsp_tunnel 0x583f6c38 for bind-ifp st0.0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_get_tun_info: tunnel out 0x583f6c38, tun id 131073

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x583f6c38, tun id 131073, tun if ge-0/0/0.0, tun bind if st0.0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  choose interface ge-0/0/0.0(P2P) as outgoing phy if

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.2.18.1, rtt_idx:0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:-jsf : Alloc sess plugin info for session 4295163017

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 4295163017, impli mask(0x0), post_nat cnt 0 svc req(0x0)

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:-jsf : no plugin interested for session 4295163017, free sess plugin info

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:[JSF]Releasing plugin info blocks

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_service_lookup(): natp(0x5afc2cc8): app_id, 0(0).

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  service lookup identified service 0.

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:In flow_first_complete_session

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51028a10, nsp: 0x5afc2cc8, in_tunnel: 0x0

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:construct v4 vector for nsp2

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  existing vector list 0x204-0x4ae2e5a0.

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  Session (id:195721) created for first pak 204

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:first pak processing successful

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT:  flow_first_install_session======> 0x5afc2cc8

    Apr  6 08:10:20 08:10:20.175964:CID-0:RT: nsp 0x5afc2cc8, nsp2 0x5afc2d58

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  make_nsp_ready_no_resolve()

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:flow_ipv4_rt_lkup success 192.168.5.2, iifl 0x0, oifl 0x0

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  route lookup: dest-ip 192.168.5.2 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  route to 192.168.5.2

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:no need update ha

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:Installing c2s NP session wing

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:first path session installation succeeded

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  flow got session.

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  flow session id 195721

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT: vector bits 0x204 vector 0x4ae2e5a0

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:ttl vector, out_tunnel = 0x583f6c38

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  encap vector

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  going into tunnel 131073 (nsp_tunnel=0x583f6c38).

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:  flow_encrypt: tun 0x583f6c38, type 1

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:mbuf 0x45e82580, exit nh 0x120010

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51028a10 associated with mbuf 0x45e82580

    Apr  6 08:10:20 08:10:20.176253:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


    Apr  6 08:10:20 08:10:20.333663:CID-0:RT:jsf sess close notify

    Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 195212, in hash 32

    Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 195212, in hash 32

    Apr  6 08:10:20 08:10:20.333663:CID-0:RT:jsf sess close notify

    Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 194793, in hash 32

    Apr  6 08:10:20 08:10:20.333663:CID-0:RT:flow_ipv4_del_flow: sess 194793, in hash 32

    Apr  6 08:10:21 08:10:21.176701:CID-0:RT:<192.168.5.2/140->10.2.18.1/5762;1> matched filter PF1:

    Apr  6 08:10:21 08:10:21.176701:CID-0:RT:packet [84] ipid = 39918, @0x45e84bc1

    Apr  6 08:10:21 08:10:21.176755:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 0, common flag 0x0, mbuf 0x45e82580, rtbl_idx = 0

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:flow process pak, mbuf 0x45e82580, ifl 0, ctxt_type 0 inq type 5

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT: in_ifp <junos-host:.local..0>

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6ade0790

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:host inq check inq_type 0x5

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:Using vr id from pfe_tag with value= 0

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:Over-riding lpak->vsys with 0

    Apr  6 08:10:21 08:10:21.176766:CID-0:RT:  .local..0:192.168.5.2->10.2.18.1, icmp, (8/0)

    Apr  6 08:10:21 08:10:21.176816:CID-0:RT: find flow: table 0x525d9c00, hash 44881(0xffff), sa 192.168.5.2, da 10.2.18.1, sp 140, dp 5762, proto 1, tok 2, conn-tag 0x00000000

    Apr  6 08:10:21 08:10:21.176816:CID-0:RT:  no session found, start first path. in_tunnel - 0x0, from_cp_flag - 0

    Apr  6 08:10:21 08:10:21.176816:CID-0:RT:  flow_first_create_session

    Apr  6 08:10:21 08:10:21.176846:CID-0:RT:Save init hash spu id 0 to nsp and nsp2!

    Apr  6 08:10:21 08:10:21.176846:CID-0:RT:(flow_first_create_session) usp_tagged set session as mng session

    Apr  6 08:10:21 08:10:21.176846:CID-0:RT:First path alloc and instl pending session, natp=0x5afc30a8, id=195723

    Apr  6 08:10:21 08:10:21.176846:CID-0:RT:  flow_first_in_dst_nat: in <.local..0>, out <N/A> dst_adr 10.2.18.1, sp 140, dp 5762

    Apr  6 08:10:21 08:10:21.176846:CID-0:RT:  chose interface .local..0 as incoming nat if.

    Apr  6 08:10:21 08:10:21.176846:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.5.2->10.2.18.1 nsp2 0.0.0.0->10.2.18.1.

    Apr  6 08:10:21 08:10:21.176895:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.5.2, x_dst_ip 10.2.18.1, in ifp .local..0, out ifp N/A sp 140, dp 5762, ip_proto 1, tos 0

    Apr  6 08:10:21 08:10:21.176906:CID-0:RT:Doing DESTINATION addr route-lookup

    Apr  6 08:10:21 08:10:21.176918:CID-0:RT:flow_ipv4_rt_lkup success 10.2.18.1, iifl 0x0, oifl 0x46

    Apr  6 08:10:21 08:10:21.176918:CID-0:RT:Checking in-ifp from .local..0 to ge-0/0/2.0 for src: 192.168.5.2 in vr_id:0

    Apr  6 08:10:21 08:10:21.176918:CID-0:RT:  routed (x_dst_ip 10.2.18.1) from junos-host (.local..0 in 0) to st0.0, Next-hop: 10.2.18.1

    Apr  6 08:10:21 08:10:21.176955:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone VPN (0x0,0x8c1682,0x1682)

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(11:VPN) scope:0

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:             192.168.5.2/2048 -> 10.2.18.1/51823 proto 1

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:  app 0, timeout 60s, curr ageout 60s

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:  permitted by policy self-traffic-policy(1)

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:  packet passed, Permitted by policy.

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False

    Apr  6 08:10:21 08:10:21.176963:CID-0:RT:flow_first_src_xlate:  incoming src port is : 140.

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT:  dip id = 0/0, 192.168.5.2/140->192.168.5.2/140 protocol 0

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT:(flow_first_get_tun_info) Valid IP, using IP from session

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT:  Doing IPSec traffic-selector match for  192.168.5.2 -> 10.2.18.1

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT: Did not find traffic-selector enabled nsp_tunnel for  st0-ifp st0.0. Finding non-traffic-selector nsp_tunnel

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT: Found non-NHTB IPSec nsp_tunnel for ifp st0.0

    Apr  6 08:10:21 08:10:21.177020:CID-0:RT: Found IPSec nsp_tunnel 0x583f6c38 for bind-ifp st0.0

    Apr  6 08:10:21 08:10:21.177067:CID-0:RT:flow_first_get_tun_info: tunnel out 0x583f6c38, tun id 131073

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_first_get_out_ifp: tunnel out 0x583f6c38, tun id 131073, tun if ge-0/0/0.0, tun bind if st0.0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  choose interface ge-0/0/0.0(P2P) as outgoing phy if

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:is_loop_pak: No loop: on ifp: st0.0, addr: 10.2.18.1, rtt_idx:0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:-jsf : Alloc sess plugin info for session 4295163019

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:[JSF]Normal interest check. regd plugins 28, enabled impl mask 0x0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:[JSF]Plugins(0x0, count 0) enabled for session = 4295163019, impli mask(0x0), post_nat cnt 0 svc req(0x0)

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:-jsf : no plugin interested for session 4295163019, free sess plugin info

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:[JSF]Releasing plugin info blocks

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_first_service_lookup(): natp(0x5afc30a8): app_id, 0(0).

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  service lookup identified service 0.

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow_first_final_check: in <.local..0>, out <ge-0/0/0.0>

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:In flow_first_complete_session

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_first_complete_session, pak_ptr: 0x51048a10, nsp: 0x5afc30a8, in_tunnel: 0x0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:construct v4 vector for nsp2

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  existing vector list 0x204-0x4ae2e5a0.

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  Session (id:195723) created for first pak 204

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:first pak processing successful

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow_first_install_session======> 0x5afc30a8

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT: nsp 0x5afc30a8, nsp2 0x5afc3138

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  make_nsp_ready_no_resolve()

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_ipv4_rt_lkup success 192.168.5.2, iifl 0x0, oifl 0x0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  route lookup: dest-ip 192.168.5.2 orig ifp .local..0 output_ifp .local..0 orig-zone 2 out-zone 2 vsd 0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  route to 192.168.5.2

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:no need update ha

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:Installing c2s NP session wing

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:first path session installation succeeded

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow got session.

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow session id 195723

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT: vector bits 0x204 vector 0x4ae2e5a0

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:ttl vector, out_tunnel = 0x583f6c38

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:pre-frag not needed: ipsize: 84, mtu: 1438, nsp2->pmtu: 1438

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  encap vector

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  going into tunnel 131073 (nsp_tunnel=0x583f6c38).

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:  flow_encrypt: tun 0x583f6c38, type 1

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:mbuf 0x45e82580, exit nh 0x120010

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51048a10 associated with mbuf 0x45e82580

    Apr  6 08:10:21 08:10:21.177074:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)






  • 4.  RE: The VPN is up, but I have no access on servers
    Best Answer

    Posted 04-06-2017 06:50

    Hi, bruno300!

     

    I have good news and bad news. Based on the logs you've provided your device is generating the requested ping, it passes all policy checks, and it is sent out of st0.0. However, in your logs I see no return traffic. 

     

    On your packet filter, there is an error. It is only capturing one side of the conversation. Would you mind updating it?

    set security flow traceoptions packet-filter PF1 source-prefix 192.168.5.2/32
    set security flow traceoptions packet-filter PF1 destination-prefix 10.2.18.1/32
    set security flow traceoptions packet-filter PF2 source-prefix 10.2.18.1/32
    set security flow traceoptions packet-filter PF2 destination-prefix 192.168.5.2/32
    run clear log tshoot-flow

     Regardless of that, your statistics show there are no decrypted packets. This is indicative that the remote end is not sending any traffic back to you. You may wish to ask whoever controls the remote end, if not you, to verify they are seeing decaps, they are permitting your traffic, and that they see encaps incrementing in response to your traffic. I hope this is helpful! 

     

    Please feel free to update the post with more information and/or an updated copy of the tshoot-flow logs and ipsec statistics. I'll be more than happy to double-check it for you.



  • 5.  RE: The VPN is up, but I have no access on servers

    Posted 04-07-2017 14:23

    TKS for support synackray!

    The problem was solved, it was in peer device !

     

    Tks!