Hi Vikas,
Thanks for your reply. Here are my configs/logs for your review.:
SRX550 Chassis CLuster Config:
set security ipsec vpn azure-hub-west-eu-vm1-vpn bind-interface st0.0
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike gateway hub-west-eu-vm1
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike ipsec-policy hub-west-eu
set security ipsec vpn azure-hub-west-eu-vm1-vpn establish-tunnels immediately
set security ike gateway hub-west-eu-vm1 ike-policy hub-west-eu
set security ike gateway hub-west-eu-vm1 address <remote_pub_ip>
set security ike gateway hub-west-eu-vm1 dead-peer-detection interval 10
set security ike gateway hub-west-eu-vm1 dead-peer-detection threshold 3
set security ike gateway hub-west-eu-vm1 local-identity inet <local_pub_ip>
set security ike gateway hub-west-eu-vm1 remote-identity inet <remote_pub_ip>
set security ike gateway hub-west-eu-vm1 external-interface reth0.0
set security ike policy hub-west-eu mode main
set security ike policy hub-west-eu proposals hub-west-eu
set security ike policy hub-west-eu pre-shared-key ascii-text <key>
set security ike proposal hub-west-eu authentication-method pre-shared-keys
set security ike proposal hub-west-eu dh-group group24
set security ike proposal hub-west-eu authentication-algorithm sha-256
set security ike proposal hub-west-eu encryption-algorithm aes-256-cbc
set security ike proposal hub-west-eu lifetime-seconds 86400
set security ipsec proposal hub-west-eu protocol esp
set security ipsec proposal hub-west-eu authentication-algorithm hmac-sha-256-128
set security ipsec proposal hub-west-eu encryption-algorithm aes-256-cbc
set security ipsec proposal hub-west-eu lifetime-seconds 3600
set security ipsec policy hub-west-eu perfect-forward-secrecy keys group24
set security ipsec policy hub-west-eu proposals hub-west-eu
set security ipsec vpn azure-hub-west-eu-vm1-vpn bind-interface st0.0
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike gateway hub-west-eu-vm1
set security ipsec vpn azure-hub-west-eu-vm1-vpn ike ipsec-policy hub-west-eu
set security ipsec vpn azure-hub-west-eu-vm1-vpn establish-tunnels immediately
set interfaces st0 unit 0 description Tunnel_Interface
set interfaces st0 unit 0 family inet
set routing-instances VR-1 instance-type virtual-router
set routing-instances VR-1 interface reth7.546
set routing-instances VR-1 interface st0.0
set routing-instances VR-1 routing-options static route 0.0.0.0/0 next-hop 164.16.28.177
set routing-instances VR-1 routing-options static route 10.3.2.0/24 next-hop st0.0
set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic system-services ike
set security zones security-zone VZ-1 interfaces st0.0 host-inbound-traffic protocols ospf
VSRX VM Azure Config.
set security ike traceoptions file ike-trace-log
set security ike traceoptions flag all
set security ike proposal srxcl1-shared authentication-method pre-shared-keys
set security ike proposal srxcl1-shared dh-group group24
set security ike proposal srxcl1-shared authentication-algorithm sha-256
set security ike proposal srxcl1-shared encryption-algorithm aes-256-cbc
set security ike proposal srxcl1-shared lifetime-seconds 86400
set security ike proposal vsrx-hub-vm2 authentication-method pre-shared-keys
set security ike proposal vsrx-hub-vm2 dh-group group24
set security ike proposal vsrx-hub-vm2 authentication-algorithm sha-256
set security ike proposal vsrx-hub-vm2 encryption-algorithm aes-256-cbc
set security ike proposal vsrx-hub-vm2 lifetime-seconds 86400
set security ike policy srxcl1-shared mode main
set security ike policy srxcl1-shared proposals srxcl1-shared
set security ike policy srxcl1-shared pre-shared-key ascii-text <key>
set security ike policy vsrx-hub-vm2 mode main
set security ike policy vsrx-hub-vm2 proposals vsrx-hub-vm2
set security ike policy vsrx-hub-vm2 pre-shared-key ascii-text <key>
set security ike gateway srxcl1-shared ike-policy srxcl1-shared
set security ike gateway srxcl1-shared address <remote_pub_ip>
set security ike gateway srxcl1-shared dead-peer-detection interval 10
set security ike gateway srxcl1-shared dead-peer-detection threshold 3
set security ike gateway srxcl1-shared local-identity inet <local_pub_ip>
set security ike gateway srxcl1-shared remote-identity inet <remote_pub_ip>
set security ike gateway srxcl1-shared external-interface ge-0/0/0.0
set security ike gateway vsrx-hub-vm2 ike-policy vsrx-hub-vm2
set security ike gateway vsrx-hub-vm2 address <remote_pub_ip>
set security ike gateway vsrx-hub-vm2 dead-peer-detection interval 10
set security ike gateway vsrx-hub-vm2 dead-peer-detection threshold 3
set security ike gateway vsrx-hub-vm2 local-identity inet <local_pub_ip>
set security ike gateway vsrx-hub-vm2 remote-identity inet <remote_pub_ip>
set security ike gateway vsrx-hub-vm2 external-interface ge-0/0/0.0
set security ipsec traceoptions flag all
set security ipsec proposal srxcl1-shared protocol esp
set security ipsec proposal srxcl1-shared authentication-algorithm hmac-sha-256-128
set security ipsec proposal srxcl1-shared encryption-algorithm aes-256-cbc
set security ipsec proposal srxcl1-shared lifetime-seconds 3600
set security ipsec proposal vsrx-hub-vm2 protocol esp
set security ipsec proposal vsrx-hub-vm2 authentication-algorithm hmac-sha-256-128
set security ipsec proposal vsrx-hub-vm2 encryption-algorithm aes-256-cbc
set security ipsec proposal vsrx-hub-vm2 lifetime-seconds 3600
set security ipsec policy srxcl1-shared perfect-forward-secrecy keys group24
set security ipsec policy srxcl1-shared proposals srxcl1-shared
set security ipsec policy vsrx-hub-vm2 perfect-forward-secrecy keys group24
set security ipsec policy vsrx-hub-vm2 proposals vsrx-hub-vm2
set security ipsec vpn srxcl1-shared-vpn bind-interface st0.0
set security ipsec vpn srxcl1-shared-vpn ike gateway srxcl1-shared
set security ipsec vpn srxcl1-shared-vpn ike ipsec-policy srxcl1-shared
set security ipsec vpn srxcl1-shared-vpn establish-tunnels immediately
set security ipsec vpn vsrx-hub-vm2-vpn bind-interface st0.0
set security ipsec vpn vsrx-hub-vm2-vpn ike gateway vsrx-hub-vm2
set security ipsec vpn vsrx-hub-vm2-vpn ike ipsec-policy vsrx-hub-vm2
set security ipsec vpn vsrx-hub-vm2-vpn establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone vpn policy default-permit match source-address any
set security policies from-zone trust to-zone vpn policy default-permit match destination-address any
set security policies from-zone trust to-zone vpn policy default-permit match application any
set security policies from-zone trust to-zone vpn policy default-permit then permit
set security policies from-zone vpn to-zone trust policy default-permit match source-address any
set security policies from-zone vpn to-zone trust policy default-permit match destination-address any
set security policies from-zone vpn to-zone trust policy default-permit match application any
set security policies from-zone vpn to-zone trust policy default-permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.3.1.4/24
set interfaces ge-0/0/1 unit 0 family inet address 10.3.2.4/24
set interfaces fxp0 unit 0
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet
set routing-instances VR-1 instance-type virtual-router
set routing-instances VR-1 interface ge-0/0/0.0
set routing-instances VR-1 interface ge-0/0/1.0
set routing-instances VR-1 interface st0.0
IKE Logs as seen from VSRX VM on Azure
[Apr 19 23:16:30]ike_send_packet: Start, retransmit previous packet SA = { 1aa9a650 57558549 - 530ebb04 ff2c9fc3}, nego = -1, dst = <remote_pub_ip>:55518 routing table id = 5
[Apr 19 23:16:30]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:55518): mID=00000000 (retransmit count=2)
[Apr 19 23:16:40]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:55518 { 1aa9a650 57558549 - 530ebb04 ff2c9fc3 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Apr 19 23:16:40]IKE SA delete called for p1 sa 3032206 (ref cnt 2) local:10.3.1.4, remote:<remote_pub_ip>, IKEv1
[Apr 19 23:17:05]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:17:05]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
[Apr 19 23:17:05]ike_init_isakmp_sa: Start, remote = <remote_pub_ip>:54649, initiator = 0
[Apr 19 23:17:05]IKEv1 packet R(<none>:500 <- <remote_pub_ip>:500): len= 288, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:17:05]IKEv1 packet S(<none>:500 -> <remote_pub_ip>:500): len= 196, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:17:05]ike_send_packet: Start, send SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649
[Apr 19 23:17:14]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:17:14]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
[Apr 19 23:17:15]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
[Apr 19 23:17:15]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=1)
[Apr 19 23:17:24]---------> Received from <remote_pub_ip>:54649 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:17:24]ike_get_sa: Start, SA = { 54e5ac7f a4ee5357 - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:54649
[Apr 19 23:17:25]ike_send_packet: Start, retransmit previous packet SA = { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0}, nego = -1, dst = <remote_pub_ip>:54649 routing table id = 5
[Apr 19 23:17:25]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:54649): mID=00000000 (retransmit count=2)
[Apr 19 23:17:35]10.3.1.4:500 (Responder) <-> <remote_pub_ip>:54649 { 54e5ac7f a4ee5357 - 00ca8ee2 f3047fb0 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[Apr 19 23:17:35]IKE SA delete called for p1 sa 3032209 (ref cnt 2) local:10.3.1.4, remote:<remote_pub_ip>, IKEv1
[Apr 19 23:18:00]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:18:00]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
[Apr 19 23:18:00]ike_init_isakmp_sa: Start, remote = <remote_pub_ip>:62940, initiator = 0
[Apr 19 23:18:00]IKEv1 packet R(<none>:500 <- <remote_pub_ip>:500): len= 288, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:18:00]IKEv1 packet S(<none>:500 -> <remote_pub_ip>:500): len= 196, mID=00000000, HDR, SA, Vid, Vid, Vid, Vid, Vid
[Apr 19 23:18:00]ike_send_packet: Start, send SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940
[Apr 19 23:18:09]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:18:09]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
[Apr 19 23:18:10]ike_send_packet: Start, retransmit previous packet SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940 routing table id = 5
[Apr 19 23:18:10]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:62940): mID=00000000 (retransmit count=1)
[Apr 19 23:18:18]---------> Received from <remote_pub_ip>:62940 to 10.3.1.4:0, VR 5, length 288 on IF
[Apr 19 23:18:18]ike_get_sa: Start, SA = { a15cc298 4ea3495f - 00000000 00000000 } / 00000000, remote = <remote_pub_ip>:62940
[Apr 19 23:18:20]ike_send_packet: Start, retransmit previous packet SA = { a15cc298 4ea3495f - 34dd4a0b b6d15386}, nego = -1, dst = <remote_pub_ip>:62940 routing table id = 5
[Apr 19 23:18:20]IKEv1 packet S(10.3.1.4:500 -> <remote_pub_ip>:62940): mID=00000000 (retransmit count=2)
[edit]