Hello,
I'm quite new with junos and I have set up a SRX100 and configured a VPN betweenSRX and ISG1000
The VPN is UP and traffic is ok from the PC behind the srx to the other LAN, but it's not working from the LAN before the ISG1000 to the SRX trust orloopback.
Here are my logs, and i can "see packet dropped, no way(tunnel) out"
I've heard that error is because there are 2 VPNs set up on the same interface, but I have only one VPN
Also, something strange is that I have 2 SA on my monitor...
fw1-cg13(M)-> get db stream
**st: <Trust|ethernet3/1|Root|0> 48286c0: 3f3a:10.1.222.230/1->10.224.124.237/7565,1,60
****** 8317225.0: <Trust/ethernet3/1> packet received [60]******
ipid = 16186(3f3a), @048286c0
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet3/1:10.1.222.230/30053->10.224.124.237/1,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet3/1>, out <N/A>
chose interface ethernet3/1 as incoming nat if.
IP classification from non-shared src if : vsys Root
flow_first_routing: in <ethernet3/1>, out <N/A>
search route to (ethernet3/1, 10.1.222.230->10.224.124.237) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 94.route 10.224.124.237->192.168.254.249, to ethernet3/2
routed (x_dst_ip 10.224.124.237) from ethernet3/1 (ethernet3/1 in 0) to ethernet3/2
IP classification from non-shared dst if : vsys Root
Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:0
policy search from zone 2-> zone 1004
policy_flow_search policy search nat_crt from zone 2-> zone 1004
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.224.124.237, port 55285, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 3/183/0x9
Permitted by policy 3
No src xlate choose interface ethernet3/2 as outgoing phy if
check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet3/2
vsd 0 is active
no loop on ifp ethernet3/2.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet3/1>, out <ethernet3/2>
existing vector list 20-24b9f464.
Session (id:503390) created for first pak 20
flow_first_install_session======>
route to 192.168.254.249
arp entry found for 192.168.254.249
ifp2 ethernet3/2, out_ifp ethernet3/2, flag 00800000, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet3/2, 10.224.124.237->10.1.222.230) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet3/1
[ Dest] 67.route 10.1.222.230->192.168.2.250, to ethernet3/1
route to 192.168.2.250
arp entry found for 192.168.2.250
ifp2 ethernet3/1, out_ifp ethernet3/1, flag 00800001, tunnel ffffffff, rc 1
flow got session.
flow session id 503390
flow_main_body_vector in ifp ethernet3/1 out ifp ethernet3/2
flow vector index 0x20, vector addr 0x24b9f464, orig vector 0x24b9f464
vsd 0 is active
post addr xlation: 10.1.222.230->10.224.124.237.
packet send out to 001b17000114 (cached) through ethernet3/2
**st: <Trust-Int|ethernet1/1|fw-in-cg13|0> 4828840: 3f3a:10.1.222.230/1->10.224.124.237/7565,1,60
****** 8317225.0: <Trust-Int/ethernet1/1> packet received [60]******
ipid = 16186(3f3a), @04828840
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet1/1:10.1.222.230/30053->10.224.124.237/1,1(8/0)<fw-in-cg13>
no session found
flow_first_sanity_check: in <ethernet1/1>, out <N/A>
chose interface ethernet1/1 as incoming nat if.
IP classification from non-shared src if : vsys fw-in-cg13
flow_first_routing: in <ethernet1/1>, out <N/A>
search route to (ethernet1/1, 10.1.222.230->10.224.124.237) in vr internet-vr for vsd-0/flag-0/ifp-null
cached route 0 for 10.224.124.237
add route 187 for 10.224.124.237 to route cache table
[ Dest] 187.route 10.224.124.237->10.224.131.177, to tunnel.8
routed (x_dst_ip 10.224.124.237) from ethernet1/1 (ethernet1/1 in 0) to tunnel.8
IP classification from non-shared dst if : vsys fw-in-cg13
Cross vsys set nat crt vsys:fw-in-cg13, pak vsys:fw-in-cg13, vsys:fw-in-cg13, result:0
policy search from zone 1003-> zone 1005
policy_flow_search policy search nat_crt from zone 1003-> zone 1005
RPC Mapping Table search returned 0 matched service(s) for (vsys fw-in-cg13, ip 10.224.124.237, port 55285, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2328/93/0x9
Permitted by policy 2328
No src xlate NHTB entry search not found: vpn none tif tunnel.8 nexthop 10.224.131.177
packet dropped, no way(tunnel) out
I have set up all policy and services in any/any, i really don't know where the problem is.
I join my configuration, if someone can help me a bit
Thanks