SRX

Dear friends,

 

I have a simple problem but somehow other topics related with this does not give useful information.

 

I'm able to establish dynamic VPN, but I couldn't access (ping, rdp etc.) beyond SRX.

 

My configuration is attached, can you help please ?

 

Thanks in advance,

Ugur

Please delete policy policy After_VPN and test . We dont need this policy as its specific for the dynamic VPN clients.

 

If the issue persists after deleting the above policy, we need to run flow traceoptions and see where is the drop happening.

Dear rsuraj,

 

It's not originally there, it didn't worked also. 

 

I set up 2 dynamic VPN to 2 different locations, and I see the same problem. I think Juniper hides some configuration to ask their support team.

 

My first problem was establishing VPN, it's solved with a configuration line that doesn't exist in :

www.juniper.net/documentation/en_US/junos12.1/topics/example/vpn-security-dynamic-example-configuring.html

 

 

what configuration line was missing from the article? At the very top, is an option to rate article and it gives the abilit to state corrections to make the articles better. I find mistakes and even incorrect things sometimes, but i rate the article and correct it so that others can benefit and not suffer a similar fate. So if you have not yet done so, please rate teh article and add the lene so the article can be corrected.

@lyndidon he is meaning the config option below. (Needed when your SRX is behind nat and want to setup a dynamic vpn)

 

set security ike gateway dyn-vpn-local-gw local-identity x.x.x.x

okay. i did not check, because i know the articles sometimes need correction. just addressing one thing at a time.  thanks for  the info. The other this I wanted to addres was the failure to ping the remote resources. I wanted to ask if he could ping the resource from the SRX? If yes, then can you ping the dynamic client from the SRX. I don't know if he s pinging by DNS name or IP address. I am going to look at the config later.

First open a continous ping from your dyn-vpn client towards something behind the srx



then do the following ( you have to change the source and destination ip) to the ones your are using
show security match-policies source-ip 192.168.5.2 destination-ip 10.10.10.1 protocol icmp

Can you paste the output in the forum thread ?

 

Hi Mark,

I changed "default-policy" to permit-all. Nothing changed so far.

vestek@SRX100> show security match-policies from-zone Internet to-zone IPTV source-ip 192.168.5.3 destination-ip 10.0.0.251 result-count 5 protocol icmp source-port 1 destination-port 1 Policy: dyn-vpn-policy, action-type: permit, State: enabled, Index: 5
0
 Policy Type: Configured
 Sequence number: 1
 From zone: Internet, To zone: IPTV
 Source addresses:
 any-ipv4: 0.0.0.0/0
 any-ipv6: ::/0
 Destination addresses:
 any-ipv4: 0.0.0.0/0
 any-ipv6: ::/0
 Application: any
 IP protocol: 0, ALG: 0, Inactivity timeout: 0
 Source port range: [0-0]
 Destination port range: [0-0]
 Per policy TCP Options: SYN check: No, SEQ check: No
 Tunnel: dyn-vpn, Type: IPSec, Index: 2
Policy: Default-Policy, action-type: permit-all, State: enabled, Index: 2
 Sequence number: 2

 

hi dalcellur,

 

Please run flow traceoptions as in below KB to see where/why drop is happeing.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

what does this produce?

>show route 10.0.0.0/16

Want to see if the interface accessible to remoe resources is in the correct zone. Can you ping the remote resources from the SRX?  Can you ping teh dynamic client from the SRX?

You should also consider using the new global addressing configuration.

attach the "

flow-debug" log

 

He mentioned before that he was unable to "ping" the local-address of the SRX from the dyn-vpn clients

Dear friends,

 

I solved my problem, it was really irritating. I did various debugs, including ike, vpn, icmp. I realize that my pings from dynvpnclient doesn't even arrive there.

 

Problem is my computer. In windows, I see that route 10.0.0.0/16 (my protected-resource) is on my VPN adapter, ON-LINK and has the lowest metric, which means my packets should use that interface

 

But somehow, it selects my default route (0.0.0.0/0) . I install Pulse client to another device and no problem occured.

 

By the way, why pulse client asks for passwords again and again ? It does not save password. Maybe I'm trying to hide passwords from my employees 🙂 Are there any other client program capable to do that ?

 

@lyndidon

I'm very sure that too many people experienced this problem. They should add a sentence about dynamic VPN with SRX behind NAT. It cannot be that rare. I found the related topic after MarcTB gave me the missing configuration.

 

@MarcTB

Thank you for everything 🙂 You helped me well.

 

 

 

HI,

 

You are welcome 🙂 Can you also close the other topics you openend and we responed to ? so people see that your problems are resolved

Thanks for update. As for  the missing line, it could be a mistake. It has happened enough times, so if you tell them about about, that is one thing they are usually quick to fix.