Screen OS

 View Only
last person joined: 10 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  How to ensure 100% that traffic is passing through a VPN tunnel - SSG20 VPN based routes

    Posted 07-20-2011 12:41
      |   view attached

    Hi, I'm trying to establish a VPN connection to a third party, but I can not generate traffic and that is why as the in the recipient end of the VPN does not work. His only answer is that we not generates traffic through the tunnel so the connection is not completed.


    My SA indicates ACTIVE with state down, and my tunnel interface appears READY.

    The connection I have configured several times and no success, I checked all the points and seemingly everything is correct, in politics that I have configured TRUST  to UNTRUST does appear as sent traffic (bytes sent) but ZERO bytes received.

    My question is: how I can ensure that traffic is being sent through the tunnel?, all I can see are the statistics of the physical interface but not the tunnel interface. I need to know how I can find these data to ensure to the third party traffic is being sent through the tunnel because I think it is at the other end where they have mistakenly configured same ACL mask some wrong (is a CISCO router), but I can not access your configuration or see his debugs.

    Using debug flow basic and with dst-ip, all I can see is the following, but I do not know whether it is sufficient to ensure that traffic is being sent through the tunnel interface:

        - My lan trust is in ethernet0/4.4 y and the client is
        - My interface tunnel.1 (untrust) numbered is with DIP beacuse the third party need that I do NAT with this lan.
        - Destination:, configured the route to go by interface tunnel.1 ( -> ethernet0/2).

        The VPN is configuring for outgoing for ethernet0/2 (untrust) bind by tunnel.1, the ping is since client ethernet0/4.4 (trust) (the SA is ACTIVE and my interface tunnel is READY with phase 2 completed) to that accept ICMP traffic.

    Attached file with debugging basic flow-ip dst if it is sufficient to show that the traffic is being sent through the tunnel. I've never seen any error, packet drop, etc..


    Any ideas? greetings



  • 2.  RE: How to ensure 100% that traffic is passing through a VPN tunnel - SSG20 VPN based routes
    Best Answer

    Posted 07-21-2011 00:55



    In most cases it is sufficient to enable logging on the policy, both for the session begin and for the session end. You can use "ping from eth0/4.4" to generate traffic if you have no access to the client. A policy should exist that allows this and performs the src-NAT to the DIP. If the session start is logged and it's end logged with the message "Aged out", the problem is on the remote site or ping is blocked, also on the remote GW. The packet had been correctly sent but no response has been received. Sure, you should check if the route to the tunnel interface is up (marked with *) before starting the test. I also recommend to configure a second route for this destination with a higher metric and null-interface as it's route interface. This will drop the packets if VPN failed without sending them along the default route.

    If the target host is pingable you can activate VPN Monitor with the option "Rekey". Select eth0/4.4 as source interface and the target ip as a destination. A policy should be configured that nats the to the DIP, because is used in the ACL on Cisco and Proxy ID on Juniper. VPN Monitor gives you a guarantee that the packets are permanently sent into the tunnel and also keeps VPN alive. Further, VPN Monitor detects very fast a VPN failure and deactivate the tunnel route.

    You debugging output confirms that the packets are encrypted. But it is cut at the most interesting place. The next packet should be one containing gateway IPs as it's source and destination IPs.

    Generally an additional DIP is not required for this configuration. You might have configured the src-NAT to the egress interface.  This is tun.1 IP for the VPN traffic.

  • 3.  RE: How to ensure 100% that traffic is passing through a VPN tunnel - SSG20 VPN based routes

    Posted 07-21-2011 03:46

    Hello, actually the reason for closing is CLOSE - AGE OUT, the policy exists, the route for network is in the routing table to the tunnel.1 interface and one with a higher metric to the null interface. When I try to ping from a client or directly from the console by PING FROM ETHERNET04 / 4, the result is the same, I see in the log of traffic but does not go anywhere.

    By checking the MONITOR VPN tunnel interface goes on to state UP, and SA ACTIVE and UP, but after a few minutes closes the connection and try again. In detail ike debug log when I enable this option does not show up any errors or dropped packets, etc, or something that indicates any anomaly.

    If that test to confirm that I am actually sending traffic through the tunnel would be enough for me then, indeed, do not know why missing the following lines, where are my public gateway and public gateway, another log to confirm generaré .

    Is there any way anyway to somehow get the bytes sent over the tunnel interface (counters flow only phisical interfaces)? There may be some reason why my firewall can not create VPN connections?

    thank you very much

  • 4.  RE: How to ensure 100% that traffic is passing through a VPN tunnel - SSG20 VPN based routes

    Posted 07-21-2011 13:24

    it's solved, the third party erased the configuration and reconfigured the VPN connection again and it works, I am convinced that some of his CISCO ACL were denied me traffic.

    Thanks for the clarification and make me sure that traffic was being sent through the tunnel interace as I thought.

    a greeting,