SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos
Accepted Solution

IPSEC VPN Troubleshooting

Having trouble with this VPN, config is attached.  IKE appears to be up along with IPSEC:

 

show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
5592930 UP     4502a0161874bf61  d769db9a07cc0dc9  Main           6.1.1.85

show security ipsec security-associations
Total active tunnels: 1
ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
<131073 ESP:aes-256/sha256 5d58a0a5 129/ unlim - root 500   6.1.1.85
>131073 ESP:aes-256/sha256 4ae220aa 129/ unlim - root 500   6.1.1.85
<131073 ESP:aes-256/sha256 c8378713 1557/ unlim - root 500  6.1.1.85
>131073 ESP:aes-256/sha256 4ae220ad 1557/ unlim - root 500  6.1.1.85

Cannot ping across the tunnel from the local address 10.24.12.118 to the peer address 10.24.12.117 nor can we access resources on the other side.

 

Traffic to the peer address appears to be egressing the interface created for the vpn st0.0:

 

show route 10.24.12.117

inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

ISP1.inet.0: 15 destinations, 16 routes (14 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

ISP2.inet.0: 13 destinations, 14 routes (12 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

SERVER-Traffic.inet.0: 12 destinations, 12 routes (11 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

10.24.12.116/30  *[Direct/0] 02:10:51
                    > via st0.0

Any help is greatly appreciated.

Recognized Expert
Posts: 569
Registered: ‎05-28-2015

Re: IPSEC VPN Troubleshooting

Hi,


The other peer is SRX as well ?

Try to open two sessions to the SRX , on one run ping to 10.24.12.117 , the second one run the 'show security flow sesssion destination-prefex 10.24.12.117' and attach the output . If the other side is SRX also , run the same command as well .

Run the 'show route' on the other side .

Regards,
A'bed AL-R.
[JNCSP-SEC Ingenious Champion]
https://srxtech.wordpress.com
Trusted Contributor
Posts: 40
Registered: ‎08-05-2014

Re: IPSEC VPN Troubleshooting

Hi,

 

Please share the output of the show security flow session destination-prefix 10.24.12.117

also on the other side run the same command for the destination ip.

Show route output from the other side as well and also check the outputs of the below command on both the sides to see if the encryption and decryption are incrementing.

show security ipsec statistic index 131073.

if the other side is also an SRX then check the index number ofr this tunnel and then run the same command and replace the index number with the one that you see on the other side.

this will tell us wether there is increment in encryption and decryptions happening on both the sides.

 

 

regards,

Guru Prasad

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

Other side is not a SRX.  We do have other SRXs successfully connected and passing traffic to other firewall. 

 

When they ping .118 from .117 I do not see the traffic show up.

 

ping source 10.12.12.118 10.24.12.117

monitor traffic interface st0.0 size 1500

13:05:20.272371 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 0, length 64
13:05:21.283020 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 1, length 64
13:05:22.293573 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 2, length 64
13:05:23.304082 Out IP 10.24.12.118 > 10.24.12.117: ICMP echo request, id 4105, seq 3, length 64

With the manner our routing and access lists are setup.  Do you see any reason incoming traffic over the VPN would be blocked or sent to another elsewhere?

 

Trusted Contributor
Posts: 40
Registered: ‎08-05-2014

Re: IPSEC VPN Troubleshooting

Hi,

 

Which vendor is the remote side. you should be able to see the Ipsec statistics somehow on that.

please check the route back on the remote devise.

flow session on the devise will also tell us whether the packet is received or not.

 

 

regards,

Guru Prasad

 

 

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

 

show security ipsec statistics index 131073

ESP Statistics:
  Encrypted bytes:           406024
  Decrypted bytes:                0
  Encrypted packets:           2999
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
show security flow session destination-prefix 10.24.12.117
Session ID: 8471, Policy name: self-traffic-policy/1, Timeout: 60, Valid
  In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp, If: .local..0, Pkts: 1, Bytes: 84
  Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp, If: st0.0, Pkts: 0, Bytes: 0

show security flow session session-identifier 8471
Session ID: 8471, Status: Normal
Flag: 0x40
Policy name: self-traffic-policy/1
Source NAT pool: Null
Maximum timeout: 60, Current timeout: 30
Session State: Valid
Start time: 11422631, Duration: 30
   In: 10.24.12.118/11 --> 10.24.12.117/4249;icmp,
    Interface: .local..0,
    Session token: 0x2, Flag: 0x0x31
    Route: 0x580722, Gateway: 10.24.12.118, Tunnel: 0
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 1, Bytes: 84
   Out: 10.24.12.117/4249 --> 10.24.12.118/11;icmp,
    Interface: st0.0,
    Session token: 0x9, Flag: 0x0x20
    Route: 0x200010, Gateway: 10.24.12.116, Tunnel: 537001985
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 0, Bytes: 0
Total sessions: 1

Only time I see sessions is when I send pings across the tunnel.

 

Trusted Contributor
Posts: 40
Registered: ‎08-05-2014

Re: IPSEC VPN Troubleshooting

Hi,

 

From the output it is clear that the SRX is continuously encrypting the packets and is not receiving any reply from the remote side.

Please check on the remote side as well and the ipsec statistics for the same and you should be seeing decryption continuosly increasing.

if its a cisco devise, you can run the command

show crypto ipsec sa (peer address)

 

 

regards,

Guru Prasad

 

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

Do you see anything in our config that would be causing this?

Trusted Contributor
Posts: 40
Registered: ‎08-05-2014

Re: IPSEC VPN Troubleshooting

Hi,

 

Configuration looks good to me.

Please check the remote side as well for any issues.

Also upgrade the devise to atleast 12.1X46 code, you are running very old code.

 

 

 

regards,

Guru Prasad

 

 

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

Attached are the kmd-logs, is it normal for phase1 to keep cycling so often?

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

[ Edited ]

Is it normal for security flow traceoptions logs to have the "invalid session id 00000" entry?

 

May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow9: Rate limit changed to 0
May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow9: Destination ID set to 2
May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow10: Rate limit changed to 0
May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow10: Destination ID set to 2
May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow11: Rate limit changed to 0
May  4 23:06:21 23:06:21.589636:CID-0:CTRL:flow11: Destination ID set to 2
May  4 23:07:23 23:07:23.661148:CID-0:RT:SPU invalid session id 00000000

May  4 23:07:26 23:07:26.680953:CID-0:RT:SPU invalid session id 00000000

May  4 23:07:30 23:07:29.984699:CID-0:RT:SPU invalid session id 00000000

May  4 23:07:33 23:07:32.992140:CID-0:RT:SPU invalid session id 00000000

 

set security flow traceoptions file DebugTraffic
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter MatchTraffic interface st0.0

 

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

Far end is a fortigate, not seeing packets through the tunnel

 

1.1.1.142:0  selectors(total,up): 1/1  rx(pkt,err): 40/40  tx(pkt,err): 5/0
Recognized Expert
Posts: 569
Registered: ‎05-28-2015

Re: IPSEC VPN Troubleshooting

Hi,

 

Not sure, but could you try to add this policy :

 

set security policies from-zone corp-vpn to-zone corp-vpn policy intra match source-address any
set security policies from-zone corp-vpn to-zone corp-vpn policy intra match destination-address any
set security policies from-zone corp-vpn to-zone corp-vpn policy intra match application any
set security policies from-zone corp-vpn to-zone corp-vpn policy intra then permit

Also lets try capturing the traffic with wireshark if you don't mind to share the output:

 

set forwarding-options packet-capture file filename packetcapture

set firewall family inet filter CAPTURE term 1 from source-address 3.3.3.3/32
set firewall family inet filter CAPTURE term 1 from destination-address 2.2.2.2/32
set firewall family inet filter CAPTURE term 1 then sample
set firewall family inet filter CAPTURE term 2 then accept

set interfaces st0 unit 0 family inet filter CAPTURE

 

after replicating the issue disable it :


set forwarding-options packet-capture disable

and share the output please .

Regards,
A'bed AL-R.
[JNCSP-SEC Ingenious Champion]
https://srxtech.wordpress.com
Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

No change after adding the security policy.  Will start packet capture momentarily.

 

Thank you for the assistance.

Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

This interface does not have inet filter as an option, see below.

set interfaces st0 unit 0 family inet ?
Possible completions:
  <[Enter]>            Execute this command
> address              Interface address/destination prefix
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  mtu                  Protocol family maximum transmission unit
  negotiate-address    Negotiate address with remote
> next-hop-tunnel      One or more next-hop tunnel tables
  no-neighbor-learn    Disable neighbor address learning on interface
> sampling             Interface sampling
  |                    Pipe through a command
Contributor
Posts: 10
Registered: ‎11-11-2016
0 Kudos

Re: IPSEC VPN Troubleshooting

Upgraded to 12.1X46 and the peer addresss started pinging.  Thanks for the recommendation.

Highlighted
Trusted Contributor
Posts: 40
Registered: ‎08-05-2014
0 Kudos

Re: IPSEC VPN Troubleshooting

Hi,

Unfortunately packet captures are not supported on the ST0 interfaces.

it will allow you to commit in 12.1X46 code however we have seen issues were it does not capture the traffic on ST0 interfaces.

 

Regards,

Guru Prasad

 

Recognized Expert
Posts: 569
Registered: ‎05-28-2015
0 Kudos

Re: IPSEC VPN Troubleshooting

Glad to hear that the problem has been resolved !
Regards,
A'bed AL-R.
[JNCSP-SEC Ingenious Champion]
https://srxtech.wordpress.com