SRX

all, I have couple different issues going on which I believe are all related to a basic config setting, however I just can't find my error.  I've chosen my incomming internet on ge 0/0/0.0 my isp static is xx.xxx.xx.254 with a gateway address ending in .253  the subnet is 255.255.255.252....

 

I have the same unit with the same basic config at another site with a 5 static ip which works as expected (except for the tunnel)

 

so what is working - i'm passing traffic to the internet and can browse the internet

 

what is not working - remote management via any means, a site to site tunnel (no traffic is recieved and times out) 

 

I believe once I get remote management working everything else will fall into place

 

config below I've attempted to trim out  users, logging info, extra interfaces not in use etc... so this may not be a "working code segment"

 

Ideas? I believe i had this similar issue at this site with a ssg5 (screenos) which if my memory is correct I had to add a gateway address to the internet facing interface. The ssg5 device is currently in use . i swap out until i can get it working in the overnight hours. 

## Last changed: 2019-01-15 07:23:12 GMT-6
version 15.1X49-D70.3;
system {
host-name xyz;
time-zone GMT-6;
root-authentication {
encrypted-password "xxx";
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}

services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group jweb-default-group {
interface irb.0;
}
}
web-management {
http;
https {
system-generated-certificate;
}
session {
idle-timeout 60;
}
}
}

}

}
security {
log {
mode event;
}
ike {
policy ike_pol_vpn_to_headquarters {
mode aggressive;
proposal-set basic;
pre-shared-key ascii-text "xyz";
}
gateway gw_vpn_to_headquarters {
ike-policy ike_pol_vpn_to_headquarters;
address xx.xxx.xx.107;
dead-peer-detection;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy ipsec_pol_vpn_to_headquarters {
perfect-forward-secrecy {
keys group5;
}
proposal-set basic;
}
vpn vpn_to_headquarters {
bind-interface st0.0;
vpn-monitor;
ike {
gateway gw_vpn_to_headquarters;
ipsec-policy ipsec_pol_vpn_to_headquarters;
}
establish-tunnels immediately;
}
}

nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy_out_vpn_to_headquarters {
match {
source-address addr_192_168_0_0_24;
destination-address addr_192_168_3_0_24;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy All_Internal_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy policy_in_vpn_to_headquarters {
match {
source-address addr_192_168_3_0_24;
destination-address addr_192_168_0_0_24;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Internal {
address-book {
address addr_192_168_0_0_24 192.168.0.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone Internet {
address-book {
address addr_192_168_3_0_24 192.168.3.0/24;
}
host-inbound-traffic {
system-services {
ike;
ssh;
https;
http;
traceroute;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
http;
https;
ssh;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
}
}
}
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address xx.xxx.xx.254/30;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan0;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}

}
}
}

irb {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 192.168.3.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop xx.xx.xx.253; ##isp gateway address##
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
access {
address-assignment {
pool jweb-default-pool {
family inet {
network 192.168.0.0/24;
range jweb-default-range {
low 192.168.0.2;
high 192.168.0.254;
}
dhcp-attributes {
name-server {
8.8.8.8;
}
router {
192.168.0.1;
}
}
}
}
}
}
vlans {
vlan0 {
vlan-id 2;
l3-interface irb.0;
}
}

 

 

Hi, Jason

 

The VPN in question is up? if so please share a "show security ipsec security-associations detail"

 

Assuming that you are trying to ssh/telnet/j-web to interface ge-0/0/0 (xx.xxx.xx.254) from external addresses, have you check if the sessions are created at all?

 

      show security flow session destination-prefix [xx.xxx.xx.254] destination-port [22|23|443|80]

 

You could also confirm with a counter if those packets are reaching the SRX: 

 

   https://kb.juniper.net/InfoCenter/index?page=content&id=KB21872

 

Please let us know.

 

 

So magicly I can no remote assess the device..i did reboot everything
the tunnel is not up. when utilizing logginf of the KMD I see the device appears to be sending  but never recieving a response and times out.
Jan 19 08:37:13  Station2 kmd[1823]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: vpn_to_headquarters Gateway: gw_vpn_to_headquarters, Local: xx.xxx.xx.254/500, Remote: xx.xxx.xx.107/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Initiator


flipping to the other side :(.107)Jan 18 21:38:49  Headquarters kmd[1874]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: vpn_to_sta2 Gateway: gw_vpn_to_sta2, Local: xx.xxx.xx.107/500, Remote: xx.xxx.xx.254/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

Hi Jason

 

Could you share the following outputs from both ends:

 

> show interfaces [external_interface] extensive | find security

> show security flow session protocol udp destination-port 500

> show security flow session protocol udp destination-port 4500

 

If there are any ISP modems connected to the SRXs I would suggest to reboot those ones as well.

 

Please also let us know if any of the SRXs has any firewall filters applied on the external interface or the loopback interface.

 

Jason,

 

I am glad the issue was resolved, I suggested the "show security flow session protocol udp destination-port 4500" in oder to find a problem with ISP dropping UDP 4500 packets because it is usually the case.

 

I think you issue regarding the VPN not coming up, is that host-inbound-traffic ike is only defined on the Internet-zone, not on the ge-0/0/0.0 interface. It's an expected behavior: Most specific configuration stanza "wins". In this case you define host-inbound-services under an interface where it invalidates the host-inbound-services under the security zone.

 

My suggestion is to either define host-inbound-services on a per-zone basis or per interface... not mixing as it creates misunderstandings 🙂

 

security-zone Internet {
address-book {
address addr_192_168_3_0_24 192.168.3.0/24;
}
host-inbound-traffic {
system-services {
ike;
ssh;
https;
http;
traceroute;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
http;
https;
ssh;