Cloud

 View Only
last person joined: 4 days ago 

Ask questions and share experiences with Contrail Networking, Junos Space, Contrail Service Orchestration, NFX Series, Network Automation, Network Management, and all things related to cloud operations.

Policy based VPN to Microsoft Azure

  • 1.  Policy based VPN to Microsoft Azure

    Posted 02-17-2022 14:45
    Hello everyone,

    At the moment we have an issue with traffic passing through the VPN tunnel between Microsoft Azure and our on premise network.  We are using an SRX 550 device and the JunOS version is 12.3X48-D105.4.

    We have set up a policy based VPN to Microsoft Azure and the Tunnel is up on both Phases (IKE and IPSEC). The issue was encountered when we could not see any return traffic when a Curl calling a particular webpage is done from Azure to a server which is on premise hosting the webpage. This also happens when we telnet to that particular port on which such on premise server is listening. We see the connection coming in, passing from the on premise FWs and reaching the server. But the telnet is never successful ie traffic is not going back to Azure.

    We did check the routing via multiple tcpdumps on different hops, even on the last hop (interface) of when the traffic enters the Juniper device to be sent via the tunnel to Microsoft Azure and we can see the traffic passing through. The issue is that when the telnet is prompted from Azure to the on premise server we can see the start of the three way handshake but we cannot see the final ACK. Basically we see the SYN (From Azure to the on premise server), the SYN/ACK (From the on premise server to  Azure) but we never see the ACK back from Azure to the on premise server hence this is why we are suspecting that the Curl and telnet are not successful. I am pasting the tcpdump log below showing this happening -

    16:51:36.287992 IP 192.168.20.5.37344 > server1.domain.com.intu-ec-client: Flags [S], seq 295015465, win 64240, options [mss 1318,sackOK,TS val 363220322 ecr 0,nop,wscale 7], length 0
    16:51:36.290417 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684598017 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:51:37.427398 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684598131 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:51:39.698257 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684598358 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:51:44.217442 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684598810 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:51:53.237703 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684599712 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:52:11.257667 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684601514 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:52:47.277853 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684605116 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:53:47.298105 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [S.], seq 3792040841, ack 295015466, win 32772, options [sackOK,TS val 684611118 ecr 363220322,mss 1460,nop,wscale 5], length 0
    16:54:47.318455 IP server1.domain.com.intu-ec-client > 192.168.20.5.37344: Flags [R.], seq 1, ack 1, win 32772, length 0

    Has anyone ever encountered such issue? We found an article saying that the MTU size must be 1350 for such VPN to work thus we lowered the IPSec MSS to 1350 using the below command but this did not solve the issue - 

    set security flow tcp-mss ipsec-vpn mss 1350
    Do you have any idea of what might be the issue? We have been troubleshooting this issue all week but we weren't able to find any solution. We have also checked routing multiple times and fortified the checks using tcpdumps to check the flow of traffic.

    Thank you for your time




    ------------------------------
    NEIL BORG
    ------------------------------