SRX

Please help!

I have a problem setting up a site to site VPN with Juniper SRX3400 and cisco 2901.

The state of tunnel when i check the securty association is  MM_NO_STATE 0 ACTIVE (deleted).

I have enabled the logging and the result is :

KMD_PM_P1_POLICY_L OOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(an y:0,[0..3]=x.x.x.x) p1_remote=ipv4(any:0,[0..3]=x.x.x.x) 

also 

Jun 4 18:52:08 KMD_INTERNAL_ERROR: iked_sa_cfg_delete_from_hash_table_for_one_gw: Failed to delete sa_cfg HQ-AZA from sadb hash tbl with rip=x.x.x.x, lip=x.x.x.x.

Hello ,

Can you share the configuration from SRX side . Also can you make the VPN policy on top of all other policies in that rule-set  and check if you are getting the same error .  And also make sure you include only one host/subnet  in the security policy source/destination  term .

Thanks for the reply!

I have default policy permit all .I have included only one host/subnet  in the security policy.

Hello ,

Can you share the SRX Config

The 2 zones involved:

security-zone peer1 {
address-book {
address Range5 192.168.5.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}

security-zone peer2 {
address-book {
address Lan80 172.30.80.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}

Policy aplied to zones involved:

from-zone peer1 to-zone peer2 {
policy 1to2 {
match {
source-address Range5;
destination-address Lan80;
application any;
}
then {
permit {
tunnel {
ipsec-vpn sitetosite;
pair-policy 2to1;
}
}
}
}
}
from-zone peer2 to-zone peer1 {
policy 2to1 {
match {
source-address Lan80AZA;
destination-address Range5;
application any;
}
then {
permit {
tunnel {
ipsec-vpn sitetosite;
pair-policy 1to2;
}
}
}
}
}

The vpn configuration
security {
ike {
traceoptions {
flag all;
}
proposal HQ_PHASE1 {
description vpn;
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy POLICY-HQ {
mode main;
proposals HQ_PHASE1;
pre-shared-key ascii-text "$9$bfsYoqmTzF/";
}
gateway GATEWAY-HQ {
ike-policy POLICY-HQ;
address 172.30.100.2;
no-nat-traversal;
external-interface ge-0/0/8;
}
}
ipsec {
traceoptions {
flag all;
}
vpn-monitor-options;
proposal HQ_PHASE2 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy VPN-POLICY {
perfect-forward-secrecy {
keys group2;
}
proposals HQ_PHASE2;
}
vpn sitetosite {
ike {
gateway GATEWAY-HQ;
ipsec-policy VPN-POLICY;
}
establish-tunnels immediately;
}
}

Hello ,

The configuration looks fine. And I hope its matching the CISCO configuration also . As a working around , you can try removing all the configuration and rollback the config and try doing " commit full " if not in production .

Else try a normal commit also after a rollback .  What Junos version are you running in SRX ? It looks like an already known issue in older version of junos .

On SRX3400 im running version 10.4R3.4.

Hello ,

10.4 version are end of support and end of life . We did have multiple VPN related issues to CISCO devices on these versions . Please upgrade to 12.1X44-D45 and check since its the current recommended and have all the VPn enhancements and bug fixes .

Thank you very much i will update and will contact with you after i finish the process.

Hello ,

Sure , Please update the results for furthur analysis .