Thanks for the extra guidance. It ended up the other carrier didnt have the policies built on the Juniper device. Once they did everything ended up working correctly.
Original Message:
Sent: 11-09-2025 14:22
From: fb35523
Subject: IPSEC Tunnels up but no traffic is going to the tunnel interface
In general, an st0.x interface needs to be added to a security zone and have "family inet" configured on it (no IP address needed, but could be).
set security zones security-zone vpn interface st0.4
You don't need any "host-inbound traffic" for the st0.4 interface, but if you have an IP on it, you may want to enable ping for the troubleshooting.
Next, you need to have a valid route towards the st0.4 interface for the traffic that is supposed to go there. If you use traffic selectors, those will generate routes automatically. If you use proxy IDs (or traffic selectors) on one end, you need to have a reciprocal match on the other end.
Check the st0.4 interface. You should see packets in and out increasing. Specifically, look at the "through traffic" counters.
show interfaces st0.4 extensive
... [skip to the lines below]
Transit statistics:
Input bytes : 697708706 0 bps
Output bytes : 60935968 0 bps
Input packets: 1307902 0 pps <- traffic from the other end
Output packets: 1321435 0 pps <- traffic from your side towards the other end
st0.x interfaces have counters resembling physical interfaces when it comes to the direction. "In" is from something connected to the box (the VPN peer) and out is whatever you send to the peer.
It would seem that the problem is your end not routing traffic to the IPsec tunnel as your flows see incoming packets but some don't see any outgoing. Only the BGP session (tcp/179) puts anything on the VPN. Do you propagate the BGP routes properly on your end? show route origin? Here is a good start:
show route advertising-protocol bgp 172.27.149.2
Have fun, you'll soon be as hooked on Junos as the rest of use are :)
Original Message:
Sent: 11-05-2025 14:27
From: CHARLES CAUDLE
Subject: IPSEC Tunnels up but no traffic is going to the tunnel interface
So im pretty green when it comes to the srx and networking in general but have been in training the better part of the year. Anyway I'll be inheriting the SRX 550 from a colleague who will be retiring.
I am having issue with an IPSEC Tunnel traffic for st0.4. It is built pretty close to st0.0 which is working. I have a Ribbon SBC doing SIP Options Ping
{primary:node0}
admin@VOIP-SRX-1> show security flow session interface st0.4
node0:
--------------------------------------------------------------------------
Session ID: 43021, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
In: 172.27.149.2/49152 --> 172.27.149.1/3784;udp, If: .local..0, Pkts: 150653, Bytes: 7833956
Out: 172.27.149.1/3784 --> 172.27.149.2/49152;udp, If: st0.4, Pkts: 0, Bytes: 0
Session ID: 127961, Policy name: vpn-COMXXXX-COLUXXXX/71, State: Active, Timeout: 32, Valid
In: a.b.c.d/5060 --> e.f.g.h/5060;udp, If: ae2.90, Pkts: 3963, Bytes: 1377012
Out: e.f.g.h/5060 --> a.b.c.d/5060;udp, If: st0.4, Pkts: 0, Bytes: 0
Session ID: 153891, Policy name: self-traffic-policy/1, State: Active, Timeout: 1794, Valid
In: 172.27.149.1/59464 --> 172.27.149.2/179;tcp, If: st0.4, Pkts: 320, Bytes: 26239
Out: 172.27.149.2/179 --> 172.27.149.1/59464;tcp, If: .local..0, Pkts: 319, Bytes: 26089
Session ID: 349562, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
In: 172.27.149.1/49152 --> 172.27.149.2/3784;udp, If: st0.4, Pkts: 150221, Bytes: 7811492
Out: 172.27.149.2/3784 --> 172.27.149.1/49152;udp, If: .local..0, Pkts: 0, Bytes: 0
Session ID: 383081, Policy name: vpn-ComXXXX-RH/69, State: Active, Timeout: 42, Valid
In: a.b.c.d/5060 --> e.f.g.i/5060;udp, If: ae2.90, Pkts: 3964, Bytes: 1377453
Out: e.f.g.i/5060 --> a.b.c.d/5060;udp, If: st0.4, Pkts: 0, Bytes: 0
Total sessions: 5
admin@VOIP-SRX-1> show security flow session interface st0.0
node0:
--------------------------------------------------------------------------
Session ID: 56218, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
In: 172.27.133.18/49152 --> 172.27.133.17/3784;udp, If: .local..0, Pkts: 35653, Bytes: 1853956
Out: 172.27.133.17/3784 --> 172.27.133.18/49152;udp, If: st0.0, Pkts: 0, Bytes: 0
Session ID: 233144, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
In: 172.27.133.17/49152 --> 172.27.133.18/3784;udp, If: st0.0, Pkts: 35653, Bytes: 1853956
Out: 172.27.133.18/3784 --> 172.27.133.17/49152;udp, If: .local..0, Pkts: 0, Bytes: 0
Session ID: 240033, Policy name: vpn-ComXXXX-return/66, State: Active, Timeout: 1788, Valid
In: w.x.y.z/56695 --> a.b.c.d/5060;tcp, If: st0.0, Pkts: 132350, Bytes: 28098483
Out: a.b.c.d/5060 --> w.x.y.z/56695;tcp, If: ae2.90, Pkts: 66272, Bytes: 39437397
Session ID: 313199, Policy name: self-traffic-policy/1, State: Active, Timeout: 1794, Valid
In: 172.27.133.17/51967 --> 172.27.133.18/179;tcp, If: st0.0, Pkts: 99, Bytes: 8190
Out: 172.27.133.18/179 --> 172.27.133.17/51967;tcp, If: .local..0, Pkts: 97, Bytes: 8015
Session ID: 381700, Policy name: vpn-ComXXX-RalXXX/64, State: Active, Timeout: 1796, Valid
In: a.b.c.d/37841 --> w.x.y.z/5060;tcp, If: ae2.90, Pkts: 132428, Bytes: 28054453
Out: w.x.y.z/5060 --> a.b.c.d/37841;tcp, If: st0.0, Pkts: 66211, Bytes: 39414650
Total sessions: 5
the show ipsec statistics shows no packets going in the tunnel
admin@VOIP-SRX-1> show security ipsec statistics index 6963933
node0:
--------------------------------------------------------------------------
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
node1:
--------------------------------------------------------------------------
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
{primary:node0}
admin@VOIP-SRX-1> show security ipsec statistics index 6963932
node0:
--------------------------------------------------------------------------
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
node1:
--------------------------------------------------------------------------
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
Is my next step to do a traceoptions log ? or any ideas? Thanks
------------------------------
CHARLES CAUDLE
------------------------------