SRX

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Firewall VPN issue

    Posted 01-17-2023 13:34
    Hi All,
    we having a issue and below are the logs like,

    Jan 17 01:00:13 MXHJUNFW1 kmd[11563]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: REDKNEE Gateway: REDKNEE-GW, Local: 201.x.x.x/50 0, Remote: 72.y.y.y/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-A vailable, VR-ID: 0: Role: Initiator
    Jan 17 01:00:21 MXHJUNFW1 kmd[11563]: KMD_VPN_TS_MISMATCH: Traffic-selector mis match, vpn name: ipsec-vpn-Cierto_GDL, Peer Proposed traffic-selector local-ip: ipv4(201.y.y.y), Peer Proposed traffic-selector remote-ip: ipv4(20.1.0.0- 20.x.255.255)
    Jan 17 01:00:21 MXHJUNFW1 kmd[11563]: KMD_VPN_TS_MISMATCH: Traffic-selector mis match, vpn name: ipsec-vpn-Cierto_GDL, Peer Proposed traffic-selector local-ip: ipv4(201.157.127.171), Peer Proposed traffic-selector remote-ip: ipv4(13.84.55. 137)
    Jan 17 01:00:21 MXHJUNFW1 kmd[11563]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 1, VPN: ip sec-vpn-Cierto_GDL Gateway: ike-gate-Cierto_GDL, Local: 201.a.a.a/500, Rem ote: 189.b.b.b/500, Local IKE-ID: 201.a.a.a, Remote IKE-ID: 189.b.b.b, VR-ID: 0
    Jan 17 01:00:21 MXHJUNFW1 kmd[11563]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 1, VPN: ipsec-vpn-Cierto_GDL Gateway: ike-gate-Cierto_GDL, Local: 201.a.a.a/500, Remote: 189.b.b.b/500, Local IKE-ID: 201.a.a.a, Remote IKE-ID: 189.b.b.b, VR-ID: 0
    Jan 17 01:00:25 MXHJUNFW1 kmd[11563]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: ipsec-vpn-Cierto_GDL, Peer Proposed traffic-selector local-ip: ipv4(201.a.a.a), Peer Proposed traffic-selector remote-ip: ipv4(13.z.z.z)

    could you please tell what is the issue, how to solve this and how to approach.

    Thanks
    Rakesh

    ------------------------------
    Rakesh A
    ------------------------------


  • 2.  RE: SRX Firewall VPN issue

     
    Posted 01-17-2023 22:49
    Hey Rakesh,

    For VPN "REDKNEE" I can see that the error is timeout, and as it is for phase 1, please check the connectivity between devices and also the configs.

    For vpn name: ipsec-vpn-Cierto_GDL, the traffic selector looks to be not matching. Please check the phase 2 config and make sure the traffic selectors are matched on both sides.
    Peer is proposing with 201.157.127.171 and 13.84.55. 137 also 201.a.a.a and 189.b.b.b

    Can you let me know what's the peer device ? Also make sure the TS is matching on config?

    Regards,

    ------------------------------
    Brijil R
    ------------------------------