SRX

 View Only
last person joined: 5 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Aggressive VPN not working on SRX1600

    This message was posted by a user wishing to remain anonymous
    Posted 5 days ago
    This message was posted by a user wishing to remain anonymous

    Hi

    We have changed from an SRX345 20.2R3-S2.5 to an SRX1600 24.4R1-S2.4. We have moved the configuration and everything should be the same except for the model and OS.

    After the move the aggressive tunnels got issues connecting. Main mode works fine. It seems that all the VPN  tunnels get stuck in the first available aggresive IKE gateway that is down. If I disable the mentioned IKE gateway the aggressive VPN that is trying to connect might connect if it isn't stuck in another IKE gateway. Does anyone have a suggestion? I have attached the log from the firewall:

    Oct 29 12:49:30.857373 [CRT] [NONE] [0.0.0.0 <-> 0.0.0.0] Trace level changed from [WRN]  to [EXT]
    Oct 29 12:50:19.804175 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa-get init-cookie (0x853268dd8c0c50a6) resp-cookie (0x0000000000000000)
    Oct 29 12:50:19.804209 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-new-connection callback
    Oct 29 12:50:19.804334 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-ike-sa-allocate: allocate ike-sa Role=Responder
    Oct 29 12:50:19.804344 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_alloc() Allocated ike-sa-node(0x2d1a8b0)
    Oct 29 12:50:19.804357 [DET] [UTIL] [14.14.14.14 <-> 24.24.24.24] ike_allocate_new_index: srg-id=0, restore_index=0, restore_index_no_srg=0, index_val=623969, curr_index=623968, ret_index=623968
    Oct 29 12:50:19.804363 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_alloc() final_index=623968, restore_index=0
    Oct 29 12:50:19.804370 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-sa-alloc: ike_sa_node 0x2d1a8b0, ikesa index=623968
    Oct 29 12:50:19.804384 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-half-open-timer: Timer started for ike-sa 0x2d1a8d4, index=623968 lifetime 60 secs
    Oct 29 12:50:19.804391 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-sa-allocate: allocated ike-sa 0x2d1a8d4 vendor-ike-sa 0x2a59c20
    Oct 29 12:50:19.804397 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-ike-sa-allocate: allocated vendor-ike-sa=0x2a59c20
    Oct 29 12:50:19.804407 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ++ ike-sa-reference count for ike-sa=0x2d1a8d4,vendor-ike-sa 0x2a59c20,ref-count 1
    Oct 29 12:50:19.804414 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ++ ike-sa-reference count for ike-sa=0x2d1a8d4,vendor-ike-sa 0x2a59c20,ref-count 2
    Oct 29 12:50:19.804423 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_ike_exchange_data_alloc_cb: atec-exchange-data-alloc: called for toolkit-ike-sa=0x2a59c20
    Oct 29 12:50:19.804432 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-exchange-data-alloc: allocated exchange-data=0x4073028 for ike-sa 0x2d1a8d4
    Oct 29 12:50:19.804466 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] get-local-address-list callback called for ed 0x4073028
    Oct 29 12:50:19.804670 [TER] [ATEC] [14.14.14.14 <-> 24.24.24.24] IKEv1 packet R(14.14.14.14:500 <- 24.24.24.24:500): len=  658, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
    Oct 29 12:50:19.804698 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(RFC 3706 (Dead Peer Detection)) len 16
    Oct 29 12:50:19.804707 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(draft-stenberg-ipsec-nat-traversal-01) len 16
    Oct 29 12:50:19.804716 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(draft-stenberg-ipsec-nat-traversal-02) len 16
    Oct 29 12:50:19.804740 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(draft-ietf-ipsec-nat-t-ike-00) len 16
    Oct 29 12:50:19.804749 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(draft-ietf-ipsec-nat-t-ike-02) len 16
    Oct 29 12:50:19.804761 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(draft-ietf-ipsec-nat-t-ike-02) len 16
    Oct 29 12:50:19.804770 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(draft-ietf-ipsec-nat-t-ike-03) len 16
    Oct 29 12:50:19.804780 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(RFC 3947) len 16
    Oct 29 12:50:19.804789 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv V(NetScreen Technologies) len 28
    Oct 29 12:50:19.804799 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv unknown V (vendor-id) from peer
    Oct 29 12:50:19.804808 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv unknown V (vendor-id) from peer
    Oct 29 12:50:19.804816 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] recv unknown V (vendor-id) from peer
    Oct 29 12:50:19.804850 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa-select callback for ed 0x4073028
    Oct 29 12:50:19.804858 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_ike_spd_select_ike_sa_cb() ike-sa=0x2d1a8d4 ike-sa-index=623968 srg-id-in-ike-sa=0 ike-sa-node=0x2d1a8b0
    Oct 29 12:50:19.804864 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] received vr_id from packet 0
    Oct 29 12:50:19.804897 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike_peer_interim_key_alloc: succeed to allocate interim peer key for peer_node (0x4080020), key=0x408002c, key_len=16
    Oct 29 12:50:19.804904 [DET] [UTIL] [14.14.14.14 <-> 24.24.24.24] ike_allocate_new_index: srg-id=0, restore_index=0, restore_index_no_srg=0, index_val=545926, curr_index=545925, ret_index=545925
    Oct 29 12:50:19.804910 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-peer-index-allocate: restore_index=0, curr_index=545925 global_index not updated
    Oct 29 12:50:19.804921 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-peer-alloc: allocated ike-peer-node (0x4080020), peer (0x408004c), peer-index (2236876800), for local-ip (14.14.14.14) remote-ip (24.24.24.24). Added to responder side interim tree, srg-id (0)
    Oct 29 12:50:19.804932 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] peer-ike-sa-list-add: Add ike-sa(0x2d1a8d4) to ike-sa-list(0x3579210) in peer(0x408004c)
    Oct 29 12:50:19.804938 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] peer-ike-sa-list-add: index in key = 623968
    Oct 29 12:50:19.804945 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] peer-ike-sa-list-add: Added ike-sa(0x2d1a8d4) to peer-sa-list(0x3579210) peer(0x408004c)
    Oct 29 12:50:19.804951 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] peer-ike-sa-list-add: peer(0x408004c) has ike_sa_count=1
    Oct 29 12:50:19.804967 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-atec-create-prop, added for gateway GW_CLIENT-REDUNDANT prop-index 0
    Oct 29 12:50:19.805002 [ERR] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa negotiation failed due to invalid sa-slection
    Oct 29 12:50:19.805011 [TER] [PEER] [14.14.14.14 <-> 24.24.24.24] IKE: Gateway N:GW_CLIENT-REDUNDANT C:14.14.14.14:500 R:24.24.24.24:10738 Failed Role:R Proposals
    Oct 29 12:50:19.805029 [TER] [ATEC] [14.14.14.14 <-> 24.24.24.24] R:[P0] {PROTO-ISAKMP} {ENCR:AES CBC} {KEY-LEN: 256} {DH:RFC5114 2048-256 bit MODP} {INTEG:unknown prf} {LIFE-TYPE:1} {LIFE-SECS:0} {AUTH-METH: Pre shared keys}
    Oct 29 12:50:19.805043 [TER] [ATEC] [14.14.14.14 <-> 24.24.24.24] C:[P0] {PROTO-ISAKMP} {ENCR:AES CBC} {KEY-LEN: 128} {DH:2048 bit MODP} {INTEG:unknown prf} {LIFE-TYPE:1} {LIFE-SECS:1} {AUTH-METH: Pre shared keys}
    Oct 29 12:50:19.805079 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] select-ike-sa: failed for local-ip 14.14.14.14 remote-ip 24.24.24.24 vr-id 0
    Oct 29 12:50:19.805223 [TER] [ATEC] [14.14.14.14 <-> 24.24.24.24] IKEv1 packet S(14.14.14.14:500 -> 24.24.24.24:500): len=   64, mID=bdbbedaa, HDR, N(NO_PROPOSAL_CHOSEN)
    Oct 29 12:50:19.805344 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa-done, sanity check failed status No proposal chosen vendor-ike-sa: 0x2a59c20
    Oct 29 12:50:19.805356 [DET] [TIME] [14.14.14.14 <-> 24.24.24.24] ike_timer_wheel_stop_timer, stopped timer 1246004 cb 0x68ac60 cbp 0x2d1a8d4, module 14,..
    Oct 29 12:50:19.805370 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-half-open-stop-timer: Timer stopped for ike-sa 0x2d1a8d4, index=623968
    Oct 29 12:50:19.805383 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-half-open-timer: Timer started for ike-sa 0x2d1a8d4, index=623968 lifetime 1 secs
    Oct 29 12:50:19.805390 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-natt, none of the devices are behind NATT at this stage of the negotiation
    Oct 29 12:50:19.805396 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-get-remote-auth-method for ed (0x4073028) auth method not found
    Oct 29 12:50:19.805442 [TER] [ATEC] [14.14.14.14 <-> 24.24.24.24]   IKEv1 Error : No proposal chosen
    Oct 29 12:50:19.805467 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_ike_exchange_data_free_cb: atec-exchange-data-free: called for ed=0x4073028 [ref-cnt=0]
    Oct 29 12:50:19.805483 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_ike_sa_free_ref_cb: ike-sa=0x2d1a8d4,vendor-ike-sa=0x2a59c20,waiting-for-delete=0,peer-ctx=0x35d38a0,ref-count=1,sa-deleted=0
    Oct 29 12:50:20.825465 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-sa-half-open: lifetime timer expired for ike-sa 2d1a8d4
    Oct 29 12:50:20.825487 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-sa-half-open: lifetime timer expired for ike-sa 2d1a8d4, index=623968
    Oct 29 12:50:20.825499 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa-delete initiated for ike-sa (0x2d1a8d4) delete-flags 1
    Oct 29 12:50:20.825507 [EXT] [PUBL] [14.14.14.14 <-> 24.24.24.24] ike_peer_unpublish_ike_sa() srg-id = 0
    Oct 29 12:50:20.825550 [EXT] [ DB ] [14.14.14.14 <-> 24.24.24.24] ike_db_blob_del: delete, but not exist in DB. [type=4, key=623968, 0x98560]
    Oct 29 12:50:20.825557 [EXT] [INTF] [14.14.14.14 <-> 24.24.24.24] Interface Ikesa_Win [kid=623968]: delete... ok, deleted from DB
    Oct 29 12:50:20.825571 [EXT] [ DB ] [14.14.14.14 <-> 24.24.24.24] ike_db_blob_del: delete, but not exist in DB. [type=1, key=623968, 0x98560]
    Oct 29 12:50:20.825577 [EXT] [INTF] [14.14.14.14 <-> 24.24.24.24] Interface DEL Ikesa [kid=623968]: ... ok, deleted from DB, del_reason=1
    Oct 29 12:50:20.825585 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-sa-ipsec-sa-delete Delete all ipsec-sa from ike-sa [0x2d1a8d4, index=623968
    Oct 29 12:50:20.825593 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_list_remove() Remove ike-sa(0x2d1a8d4) with index(623968) from peer-sa-list(0x3579210) peer(0x408004c)
    Oct 29 12:50:20.825601 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_list_remove() Found ike-sa(0x2d1a8d4) in peer list
    Oct 29 12:50:20.825608 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_list_remove() Removed ike-sa(0x2d1a8d4) from peer-sa-list(0x3579210) peer(0x408004c)
    Oct 29 12:50:20.825616 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_list_remove() Remove ike-sa(0x2d1a8d4) with index(623968) from peer-sa-list(0x3579210) peer(0x408004c) complete, ikesa_count=0, rc=4097
    Oct 29 12:50:20.825623 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-async-context-for-event failed as ike-sa 0x2d1a8d4 isn't allocated with aync-handle
    Oct 29 12:50:20.825630 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_async_abort_ike_sa: no operations to abort for ike-sa 0x2d1a8d4
    Oct 29 12:50:20.825659 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-async-context-for-event failed as ike-sa 0x2d1a8d4 isn't allocated with aync-handle
    Oct 29 12:50:20.825665 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-async-handle-unregister failed for ike-sa 0x2d1a8d4
    Oct 29 12:50:20.825672 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa delete done called for ike-sa 0x2d1a8d4 status Error ok
    Oct 29 12:50:20.825679 [EXT] [MNHA] [14.14.14.14 <-> 24.24.24.24] ike_peer_purge_void_peer() active_ike_sa_count = 0
    Oct 29 12:50:20.825686 [EXT] [TUNL] [14.14.14.14 <-> 24.24.24.24] ike_tunnel_purge_void_tunnels() srg-id = 0
    Oct 29 12:50:20.825710 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] purge-void-peer: deleted peer 0x408004c from interim database
    Oct 29 12:50:20.825732 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] purge-void-peer: deleting peer 67633212 from database 0xaa82b8
    Oct 29 12:50:20.825738 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike_peer_purge_peer_services_for_ike_sa() srg-id = 0
    Oct 29 12:50:20.825752 [EXT] [ DB ] [14.14.14.14 <-> 24.24.24.24] ike_db_blob_del: delete, but not exist in DB. [type=0, key=-2058090496, 0x85540800]
    Oct 29 12:50:20.825759 [DET] [INTF] [14.14.14.14 <-> 24.24.24.24] Interface DEL Peer [pid=-2058090496]: ... ok, deleted from DB, del_reason=1
    Oct 29 12:50:20.825769 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] purge-void-peer: peer 0x408004c deleted for local-ip 14.14.14.14 remote-ip 24.24.24.24
    Oct 29 12:50:20.825852 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_ike_sa_delete_cb: ike-sa-delete for ike-sa 0x2d1a8d4 vendor-ike-sa 0x2a59c20 ref-count 1 ... start
    Oct 29 12:50:20.825860 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike-sa-delete for ike-sa 0x2d1a8d4 index=623968, vendor-ike-sa 0x2a59c20, ref-count 0
    Oct 29 12:50:20.825866 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_delete_ike_sa: ... start, ike_sa=0x2d1a8d4, vendor_ike_sa=0x2a59c20
    Oct 29 12:50:20.825873 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_uninitiatialize_ike_sa: atec unititialize ikesa ... start, ike_sa=0x2d1a8d4
    Oct 29 12:50:20.825879 [EXT] [ATEC] [14.14.14.14 <-> 24.24.24.24] atec-uninitialize-ike-sa 0x2d1a8d4 reference-count 0
    Oct 29 12:50:20.825890 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_uninitiatialize_ike_sa: atec unititialize ikesa ... completed, ike_sa=0x2d1a8d4
    Oct 29 12:50:20.825896 [EXT] [PEER] [14.14.14.14 <-> 24.24.24.24] ike_peer_ike_sa_delete_from_trees() ike_sa_index=623968, srg_id=0
    Oct 29 12:50:20.825904 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] vendor-ike-sa (0x2a59c20) freed
    Oct 29 12:50:20.825911 [DET] [PEER] [14.14.14.14 <-> 24.24.24.24] ike-sa-node-free: ike-sa-node(0x2d1a8b0) freed for ike-sa(0x2d1a8d4)
    Oct 29 12:50:20.825918 [EXT] [ADVN] [14.14.14.14 <-> 24.24.24.24] ike_advpn_suggest_free_by_ikesa: ikesa notify_list is null
    Oct 29 12:50:20.825925 [DET] [ATEC] [14.14.14.14 <-> 24.24.24.24] ike_atec_delete_ike_sa: ... completed, ike_sa=0x2d1a8d4, vendor_ike_sa=0x2a59c20


  • 2.  RE: Aggressive VPN not working on SRX1600

    Posted 4 days ago

    Oh, I've seen this happen on an SRX1500 a couple of years ago. What a pain. Even though it shouldn't matter, changing the order of the gateway in the configuration seemed to help (I think I moved the failing "stuck" gateway further down in the configuration under security ike).

    Can you provide a few samples of your ike gateway configs? Are you using the KMD or IKED process (the optional://junos-ike.tgz package)?



    ------------------------------
    Nikolay Semov
    ------------------------------