I haven't checked MTU, I didn't change the default setting because it's working with other peers.
NMs are okay since we're using /24 on each branch and different ranges for each branch. There's no overlapping in IP addressing if that's what you're aiming for.
Original Message:
Sent: 02-21-2024 08:49
From: Michael Bila
Subject: SRX345 HA dual ISP routing enigma
Have you checked the MTU at the problem branch sites? Have you double checked subnet masks?
------------------------------
Michael Bila
Original Message:
Sent: 02-20-2024 10:56
From: Vedran Milicevic
Subject: SRX345 HA dual ISP routing enigma
Nope, at branch i have same as on central:
set routing-options static route 0.0.0.0/0 next-hop 12.12.12.12
And of course, ike gw have only one external interface there at the branch side.
set security ike gateway Central-ISP1 ike-policy CentralPolicy-1
set security ike gateway Central-ISP1 address 11.11.11.11
set security ike gateway Central-ISP1 local-identity hostname office1.acme.com
set security ike gateway Central-ISP1 remote-identity hostname central.acme.com
set security ike gateway Central-ISP1 external-interface reth1
set security ike gateway Central-ISP1 version v2-only
set security ike gateway Central-ISP2 ike-policy CentralPolicy-1
set security ike gateway Central-ISP2 address 22.22.22.22
set security ike gateway Central-ISP2 local-identity hostname office1.acme.com
set security ike gateway Central-ISP2 remote-identity hostname central.acme.com
set security ike gateway Central-ISP2 external-interface reth1
set security ike gateway Central-ISP2 version v2-only
Also, if it means anything, source nat translates everything going out to interface.
Thank you.
------------------------------
Vedran Milicevic
Original Message:
Sent: 02-20-2024 10:40
From: Kalle
Subject: SRX345 HA dual ISP routing enigma
At branch office do you have a more specific route then 0/0 to reach IPsec destination address?
------------------------------
Kalle Andersson
Original Message:
Sent: 02-20-2024 10:00
From: Vedran Milicevic
Subject: SRX345 HA dual ISP routing enigma
Sure,
I have 2 tunnel ike gw per remote branch since Central has 2 ISP links as shown on topology drawing.
Each of those 2 tunnels per branch have different external interface.
Here is config snippet for one branch. Please do note that I have 44 of those ike gw and accompanying ipsec vpn configured , and only 2-3 of those are acting up.
All others are routing traffic (ike and icmp) back via same interface that request came in or was being sent out (initiator or responder role).
set security ike gateway OfficeBranch_1-ISP1 ike-policy RemoteOfficesPolicy-1
set security ike gateway OfficeBranch_1-ISP1 address 12.12.12.12
set security ike gateway OfficeBranch_1-ISP1 local-identity hostname central.acme.com
set security ike gateway OfficeBranch_1-ISP1 remote-identity hostname office1.acme.com
set security ike gateway OfficeBranch_1-ISP1 external-interface reth1
set security ike gateway OfficeBranch_1-ISP1 version v2-only
set security ike gateway OfficeBranch_1-ISP2 ike-policy RemoteOfficesPolicy-1
set security ike gateway OfficeBranch_1-ISP2 address 12.12.12.12
set security ike gateway OfficeBranch_1-ISP2 local-identity hostname entral.acme.com
set security ike gateway OfficeBranch_1-ISP2 remote-identity hostname office1.acme.com
set security ike gateway OfficeBranch_1-ISP2 external-interface reth2
set security ike gateway OfficeBranch_1-ISP2 version v2-only
Security zone for "external" interfaces:
set security zones security-zone Untrust host-inbound-traffic system-services ike
set security zones security-zone Untrust host-inbound-traffic system-services ping
set security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic system-services ike
set security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic system-services ping
set security zones security-zone Untrust interfaces reth1.0 host-inbound-traffic protocols all
set security zones security-zone Untrust interfaces reth2.0 host-inbound-traffic system-services ike
set security zones security-zone Untrust interfaces reth2.0 host-inbound-traffic system-services ping
set security zones security-zone Untrust interfaces reth2.0 host-inbound-traffic protocols all
Thanks.
------------------------------
Vedran Milicevic
Original Message:
Sent: 02-19-2024 16:42
From: Michael Bila
Subject: SRX345 HA dual ISP routing enigma
Have you set the external interface for each IPSec VPN on the SRX345 side?
set ike gateway ike-gw external-interface ge-0/0/0
------------------------------
Michael Bila
Original Message:
Sent: 02-18-2024 05:52
From: Vedran Milicevic
Subject: SRX345 HA dual ISP routing enigma
Hello,
I have up and running SRX345 HA on 22.4R2-S2.6. My setup consist of 2 ISP link and 20+ office branches using SRX300 for connecting via IPsec.
All offices have defined 2 tunnels towards SRX345, each for one ISP.
0/0 routes on SRX345 are looking like this:
set routing-options static route 0.0.0.0/0 next-hop 11.11.11.11
set routing-options static route 0.0.0.0/0 next-hop 22.22.22.22
I've also tried with option of having qualified-next-hop with different preference for each ISP, but it acted the same.
Funny thing is that 18-19 out of 20 SRXs successfully connect to both ISP links, creating 2 IPsec tunnels with different route preferences for each office branch.
SRX345 HA is acting weird for 1 or 2 of them, in way that they (SRX300) sends out isakmp packets towards ISP-2 (reth2: 22.22.22.22) on SRX345, packet reaches SRX345HA on reth2, but SRX345 sends packet out via reth1 (ISP-1). It does not return packet via the same interface it came in.
monitor-traffic on reth1 (ISP-1) interface showing outgoing packets from reth2 IP address:
11:06:09.738009 Out IP truncated-ip - 506 bytes missing! 22.22.22.22.500 > 12.12.12.12.500: isakmp: phase 1 ? #34[]: [|#33]
11:06:19.739075 Out IP truncated-ip - 506 bytes missing! 22.22.22.22.500 > 12.12.12.12.500: isakmp: phase 1 ? #34[]: [|#33]
11:06:29.740845 Out IP truncated-ip - 506 bytes missing! 22.22.22.22.500 > 12.12.12.12.500: isakmp: phase 1 ? #34[]: [|#33]
Why does SRX345 return packets via correct interface for other 18 branches, but for some of them it does not?
Please let me know if any other part of config is required.
------------------------------
Vedran Milicevic
------------------------------