SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 2
Registered: ‎07-17-2017
0 Kudos

My VPN between two SRXs is dropping packets, how do I read JUNOS VPN trace output to debug?

[ Edited ]

My VPN between two SRX240s is dropping packets.

 

When pinging from the external interface of one to the other its fine.

When pinging the external interface of one to the internal interface of the other I get intermittin packet drops (ie when its entering the vpn tunnel)

 

Here is my config on the first SRX:

 

> show configuration security flow
##
## Warning: statement ignored: unsupported platform (srx220h2)
##
ipsec-performance-acceleration;
tcp-mss {
    ipsec-vpn {
        mss 1350;
    }
}
tcp-session {
    no-sequence-check;
}

 

 

On the other side I setup tracing to trace a ping from a host on the subnet from side to the other:

 

> show configuration security flow
traceoptions {
    file my-dropped-packets;
    flag packet-drops;
    flag basic-datapath;
    packet-filter myfilter {
        source-prefix 192.168.<from-behind-srx1>/32;
        destination-prefix 192.168.<internal-interface-of-SRX2>/32;
    }
}
##
## Warning: statement ignored: unsupported platform (srx220h2)
##
ipsec-performance-acceleration;
tcp-mss {
    ipsec-vpn {
        mss 1350;
    }
}
tcp-session {
    no-sequence-check;
}

 

You can also see how I tried to enable ipsec-performance-acceleration to see if it would fix this but it appears to not be supported.

 

There are many docs on how to enable tracing with traceoptions but none I could find explaining how to actually read them for debugging VPNs.

 

There is this doc for example that explains how to read trace output to troubleshoot NAT issues: https://kb.juniper.net/InfoCenter/index?page=content&id=KB21757&actp=METADATA. I want something like this for troubleshooting vpn issues. I try googling some of the messages I see in the trace but I'm lost.

 

What should I be looking for? I'd like to dump these logs and just search through them for important error messages, but I'm not sure I see any "error" messages. 

 

I uploaded a 700 line trace from 4 pings from the source to the destination identified in the filter. On the third ping the request timed out, where would I see that failure in the trace, what should I look for?

 

Also looking through the trace I see messages like this:

Aug 4 11:11:30 11:11:30.438650:CID-0:RT:pre-frag not needed: ipsize: 60, mtu: 1438, nsp2->pmtu: 1438

 

This is curious because I set mss to 1350. Maybe these things are not related, but I thought the mtu would be 1350?