SRX

Hi, I've got a weird problem here with a SRX100 trying to establish an IPSec tunnel to a remote non-Juniper device.

The tunnel seems to go up, traffic can flow (i.e. I can ping from either sides of the tunnel) and IKE + IPSEC SA are UP; then, after circa 2-3 minutes, ping and other traffic stops flowing, phase 1 goes down, while phase 2 stays up.

The only way to re-open the tunnel is to modify something in the configuration and commit. Even restarting ipsec-key-management does not bring it back up.

I've also collected per-tunnel logs, which I'm attaching to this post.

root@srx-xxx> show security ike security-associations

root@srx-xxx> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-128/sha1 5db28687 1074/ unlim -  root 500   REMOTE_IP
  >131073 ESP:aes-128/sha1 c188d2fa 1074/ unlim -  root 500   REMOTE_IP

root@srx-xxx> show security ipsec security-associations index 131073
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-besFarm
  Local Gateway: LOCAL_IP, Remote Gateway: REMOTE_IP
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 5db28687, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1057 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 435 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: c188d2fa, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1057 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 435 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

Thank you for any help.

Marco

Attachment(s)

kmd.txt   714 KB 1 version

juniper_srx100_safe.txt   15 KB 1 version

Hi,

Are you sure this tunnel actually comes up?  From your logs I see the below.  "Payload Malformed" would usually indicate a mismatch in the pre-shared key.

[Oct 14 10:43:43][LOCAL_IP <-> REMOTE_IP]  ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
[Oct 14 10:43:43][LOCAL_IP <-> REMOTE_IP]  <none>:500 (Responder) <-> REMOTE_IP:500 { bce184cc c68164c3 - 24dc2d71 3f7ea90a [1] / 0xd14c523d } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
[Oct 14 10:43:43][LOCAL_IP <-> REMOTE_IP]  ike_st_i_private: Start

Hi and thank you for the quick reply.

Yes, I am sure since I can ping the other side and I don't see any other reason I could do that without having the tunnel established. Just to be sure, I changed PSK on both sides; ping went up, then down again after a couple of minutes.

Marco

This is what happens:

root@srx-besimple> show security ike security-associations

root@srx-besimple> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-128/sha1 2eb2f5fd 3549/ unlim -  root 500   REMOTE_IP
  >131073 ESP:aes-128/sha1 cd35d6e9 3549/ unlim -  root 500   REMOTE_IP

root@srx-besimple> show security ipsec security-associations index 131073
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-besFarm
  Local Gateway: LOCAL_IP, Remote Gateway: REMOTE_IP
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 2eb2f5fd, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3511 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2889 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: cd35d6e9, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3511 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2889 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64


root@srx-besimple> ping 172.16.200.1
PING 172.16.200.1 (172.16.200.1): 56 data bytes
64 bytes from 172.16.200.1: icmp_seq=0 ttl=64 time=36.879 ms
64 bytes from 172.16.200.1: icmp_seq=1 ttl=64 time=37.273 ms
64 bytes from 172.16.200.1: icmp_seq=2 ttl=64 time=38.390 ms
64 bytes from 172.16.200.1: icmp_seq=3 ttl=64 time=38.121 ms
64 bytes from 172.16.200.1: icmp_seq=4 ttl=64 time=36.714 ms
64 bytes from 172.16.200.1: icmp_seq=5 ttl=64 time=35.126 ms
64 bytes from 172.16.200.1: icmp_seq=6 ttl=64 time=34.900 ms
64 bytes from 172.16.200.1: icmp_seq=7 ttl=64 time=34.091 ms
64 bytes from 172.16.200.1: icmp_seq=8 ttl=64 time=35.901 ms
^C
--- 172.16.200.1 ping statistics ---
9 packets transmitted, 9 packets received, 0% packet loss
round-trip min/avg/max/stddev = 34.091/36.377/38.390/1.393 ms

root@srx-besimple> ping 172.16.200.10
PING 172.16.200.10 (172.16.200.10): 56 data bytes
64 bytes from 172.16.200.10: icmp_seq=0 ttl=127 time=37.649 ms
64 bytes from 172.16.200.10: icmp_seq=1 ttl=127 time=39.005 ms
64 bytes from 172.16.200.10: icmp_seq=2 ttl=127 time=41.536 ms
64 bytes from 172.16.200.10: icmp_seq=3 ttl=127 time=40.515 ms
64 bytes from 172.16.200.10: icmp_seq=4 ttl=127 time=39.406 ms
64 bytes from 172.16.200.10: icmp_seq=5 ttl=127 time=36.777 ms
64 bytes from 172.16.200.10: icmp_seq=7 ttl=127 time=41.095 ms
^C
--- 172.16.200.10 ping statistics ---
8 packets transmitted, 7 packets received, 12% packet loss
round-trip min/avg/max/stddev = 36.777/39.426/41.536/1.638 ms

root@srx-besimple> ping 172.16.200.10
PING 172.16.200.10 (172.16.200.10): 56 data bytes
^C
--- 172.16.200.10 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@srx-besimple> ping 172.16.200.1
PING 172.16.200.1 (172.16.200.1): 56 data bytes
^C
--- 172.16.200.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

root@srx-besimple> show security ipsec security-associations index 131073
  ID: 131073 Virtual-system: root, VPN Name: ipsec-vpn-besFarm
  Local Gateway: LOCAL_IP, Remote Gateway: REMOTE_IP
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 2eb2f5fd, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3405 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2783 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: cd35d6e9, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3405 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2783 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

Does it make any sense?

Marco

Hey,

have you checked "life time" on both sites if they are same ?

does both sites use static IP and not dynamic ?

Can you remove "dpd" config from SRX? From logs the re-negotiation happens because of DPD failures.

[Oct 14 10:53:23][LOCAL_IP <-> REMOTE_IP]  Received DPD Trigger message with local_gw_addr = LOCAL_IP remote_gw_addr = REMOTE_IP

[Oct 14 10:53:23][LOCAL_IP <-> REMOTE_IP]  DPD -> TTL decrement 4 (no-response) for remote peer REMOTE_IP

Tried disabling it on both local and remote peer.

This is the new kmd.

Thanks,

Marco

Attachment(s)

kmd_new.txt   126 KB 1 version

Hello,

What is the non-juniper device?

Regards,

Rushi

Hi, it's a virtual appliance named Endian based on pfSense IIRC...

Marco

Hi and sorry for the terribly late reply.

The problem was in fact with DPD; in the original configuration I had set dead-peer-detection without parameters.

Once changed to dead-peer-detection always-send; everything started working as expected and now the tunnel seems stable.

Again thanks for your support.

Marco