SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX100 - VPN Problem: packet dropped, no way(tunnel) out

    Posted 05-02-2016 06:19

    Hello,

    I'm quite new with junos and I have set up a SRX100 and configured a VPN betweenSRX and  ISG1000

    The VPN is UP and traffic is ok from the PC behind the srx to the other LAN, but it's not working from the LAN before the ISG1000 to the SRX trust orloopback.

    Here are my logs, and i can "see packet dropped, no way(tunnel) out"

    I've heard that error is because there are 2 VPNs set up on the same interface, but I have only one VPN

    Also, something strange is that I have 2 SA on my monitor...

     

    fw1-cg13(M)-> get db stream
    **st: <Trust|ethernet3/1|Root|0> 48286c0: 3f3a:10.1.222.230/1->10.224.124.237/7565,1,60
    ****** 8317225.0: <Trust/ethernet3/1> packet received [60]******
    ipid = 16186(3f3a), @048286c0
    packet passed sanity check.
    flow_decap_vector IPv4 process
    ethernet3/1:10.1.222.230/30053->10.224.124.237/1,1(8/0)<Root>
    no session found
    flow_first_sanity_check: in <ethernet3/1>, out <N/A>
    chose interface ethernet3/1 as incoming nat if.
    IP classification from non-shared src if : vsys Root
    flow_first_routing: in <ethernet3/1>, out <N/A>
    search route to (ethernet3/1, 10.1.222.230->10.224.124.237) in vr trust-vr for vsd-0/flag-0/ifp-null
    [ Dest] 94.route 10.224.124.237->192.168.254.249, to ethernet3/2
    routed (x_dst_ip 10.224.124.237) from ethernet3/1 (ethernet3/1 in 0) to ethernet3/2
    IP classification from non-shared dst if : vsys Root
    Cross vsys set nat crt vsys:Root, pak vsys:Root, vsys:Root, result:0
    policy search from zone 2-> zone 1004
    policy_flow_search policy search nat_crt from zone 2-> zone 1004
    RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.224.124.237, port 55285, proto 1)
    No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 3/183/0x9
    Permitted by policy 3
    No src xlate choose interface ethernet3/2 as outgoing phy if
    check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet3/2
    vsd 0 is active
    no loop on ifp ethernet3/2.
    session application type 0, name None, nas_id 0, timeout 60sec
    service lookup identified service 0.
    flow_first_final_check: in <ethernet3/1>, out <ethernet3/2>
    existing vector list 20-24b9f464.
    Session (id:503390) created for first pak 20
    flow_first_install_session======>
    route to 192.168.254.249
    arp entry found for 192.168.254.249
    ifp2 ethernet3/2, out_ifp ethernet3/2, flag 00800000, tunnel ffffffff, rc 1
    outgoing wing prepared, ready
    handle cleartext reverse route
    search route to (ethernet3/2, 10.224.124.237->10.1.222.230) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet3/1
    [ Dest] 67.route 10.1.222.230->192.168.2.250, to ethernet3/1
    route to 192.168.2.250
    arp entry found for 192.168.2.250
    ifp2 ethernet3/1, out_ifp ethernet3/1, flag 00800001, tunnel ffffffff, rc 1
    flow got session.
    flow session id 503390
    flow_main_body_vector in ifp ethernet3/1 out ifp ethernet3/2
    flow vector index 0x20, vector addr 0x24b9f464, orig vector 0x24b9f464
    vsd 0 is active
    post addr xlation: 10.1.222.230->10.224.124.237.
    packet send out to 001b17000114 (cached) through ethernet3/2
    **st: <Trust-Int|ethernet1/1|fw-in-cg13|0> 4828840: 3f3a:10.1.222.230/1->10.224.124.237/7565,1,60
    ****** 8317225.0: <Trust-Int/ethernet1/1> packet received [60]******
    ipid = 16186(3f3a), @04828840
    packet passed sanity check.
    flow_decap_vector IPv4 process
    ethernet1/1:10.1.222.230/30053->10.224.124.237/1,1(8/0)<fw-in-cg13>
    no session found
    flow_first_sanity_check: in <ethernet1/1>, out <N/A>
    chose interface ethernet1/1 as incoming nat if.
    IP classification from non-shared src if : vsys fw-in-cg13
    flow_first_routing: in <ethernet1/1>, out <N/A>
    search route to (ethernet1/1, 10.1.222.230->10.224.124.237) in vr internet-vr for vsd-0/flag-0/ifp-null
    cached route 0 for 10.224.124.237
    add route 187 for 10.224.124.237 to route cache table
    [ Dest] 187.route 10.224.124.237->10.224.131.177, to tunnel.8
    routed (x_dst_ip 10.224.124.237) from ethernet1/1 (ethernet1/1 in 0) to tunnel.8
    IP classification from non-shared dst if : vsys fw-in-cg13
    Cross vsys set nat crt vsys:fw-in-cg13, pak vsys:fw-in-cg13, vsys:fw-in-cg13, result:0
    policy search from zone 1003-> zone 1005
    policy_flow_search policy search nat_crt from zone 1003-> zone 1005
    RPC Mapping Table search returned 0 matched service(s) for (vsys fw-in-cg13, ip 10.224.124.237, port 55285, proto 1)
    No SW RPC rule match, search HW rule
    swrs_search_ip: policy matched id/idx/action = 2328/93/0x9
    Permitted by policy 2328
    No src xlate NHTB entry search not found: vpn none tif tunnel.8 nexthop 10.224.131.177
    packet dropped, no way(tunnel) out

     

    I have set up all policy and services in any/any, i really don't know where the problem is.

    I join my configuration, if someone can help me a bit

     

    Thanks



  • 2.  RE: SRX100 - VPN Problem: packet dropped, no way(tunnel) out

    Posted 05-02-2016 11:48

    Hello,

     

    As per the above logs i believe you are seeing the packets getting dropped on the ISG side.

     

    As per the logs please check the route and policy on the ISG side for the traffic from LAN on the ISG side to the SRX and see if it is correctly pointing for it to go over the VPN tunnel or not.

     

    Thanks,
    Pulkit Bhandari

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂



  • 3.  RE: SRX100 - VPN Problem: packet dropped, no way(tunnel) out

    Posted 05-03-2016 00:29

    Are you sure it's on isg1000 side ? Because I've already checked all routes from isg1000 to SRX and on the logs looks like the traffic go til the last hop before the SRX and can't enter IN ?

     

    Can you check my configuration ? maybe i did something bad in the vpn configuration or in polycies ?

     

    Also something is strange, I have 2 SA for the Phase 2 in my VPN monitor ...



  • 4.  RE: SRX100 - VPN Problem: packet dropped, no way(tunnel) out
    Best Answer

    Posted 05-04-2016 07:37

    Hello,

     

     

    As per the above logs the packet is getting dropped on the ISG side of the tunnel with the error "packet dropped, no way(tunnel) out". 

     

    Please refer the below KB article to resolve the issues related to the above error.

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB7253&actp=search

     

    As per the above KB article if you have multiple tunnels on the same tunnel interface then this issue can happen but as you have specified in your earlier posts that there is no other tunnel binded to this interface, hence i suppose that multiple phase 2 on the ISG side is causing the issue.

     

    Please try and clear the IKE and IPSEC association (phase 1 and phase 2) from ISG and SRX both if possible or atleast from one side and then check if it resolves the issue.

     

    Thanks,
    Pulkit Bhandari

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂



  • 5.  RE: SRX100 - VPN Problem: packet dropped, no way(tunnel) out

    Posted 05-04-2016 07:59

    Ok it's worked finally after added the route in the NBTH like you said, thanks

     

    But I I have also some SSG5 with their route in the NBTH Table, but for SSG5 there were added automatically,

    I don't understand why I needed to add as static for the RSX  ??

     

    But thanks, it's work 🙂