I have a VSRX located in AWS and an IPSEC tunnel that is connected to a VPN connection in a different AWS VPC. The tunnel itself comes up, but I cannot ping the hosts on the other side of it, including the other IP in the interconnect subnet.
The tunnel is up:
ec2-user> show security ipsec inactive-tunnels
Total inactive tunnels: 0
Total inactive tunnels with establish immediately: 0
ec2-user> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 13860
Encrypted packets: 0
Decrypted packets: 231
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
The IP configuration on it is about as simple as can be:
ec2-user> show configuration interfaces st0.1
enable;
description VPN-06ab852-1;
family inet {
mtu 1436;
address 169.254.15.246/30;
}
As are the security zone and policy settings:
ec2-user> show configuration security zones
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
st0.1 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
ec2-user> show configuration security policies
from-zone trust to-zone trust {
policy everything {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
But I cannot ping the far side of the tunnel, even when sourced from it:
ec2-user> ping 169.254.15.245 source 169.254.15.246
PING 169.254.15.245 (169.254.15.245): 56 data bytes
^C
--- 169.254.15.245 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
I do see traffic coming out of the tunnel interface when I do a packet capture, but I never see anything coming back in:
16:30:28.794614 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 2, length 64
16:30:29.794818 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 3, length 64
16:30:30.795552 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 4, length 64
16:30:31.796620 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 5, length 64
16:30:32.796766 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 6, length 64
Any suggestions are welcomed.