SRX

Hi, 

 

I configured a site-to-site route based VPN with SRX100 at my office and Hillstone Firewall at remote office end. The VPN diagram is as under:

 

MY-PC -----------> Juniper SRX100 -------------> Internet --------------> HillstoneDevice -----------> Remote-PC

172.16.10.8         LAN-172.16.10.2                                                          PeerIP 202.69.12.201       IP 202.69.15.161

                               WAN-203.215.166.85/29

                               GW-203.215.166.81/29

 

The tunnel phase 1 and phase 2 both shows up on juniper srx100 

 

admin@Stepnex> show security ike sa

Index       State Initiator cookie               Responder cookie          Mode         Remote Address
2459649 UP    ede373842628f2a5     f189641006d433fe          Main           202.69.12.201

 

admin@Stepnex> show security ipsec sa
Total active tunnels: 3
ID               Algorithm                   SPI Life:sec/kb                     Mon           lsys              Port                 Gateway
<131073   ESP:aes-256/sha1 800a1dea 3568/ unlim       U               root              500                 202.69.12.201
>131073   ESP:aes-256/sha1 39f78dde 3568/ unlim         U               root              500                 202.69.12.201

 

Still there is no traffic passing through the tunnel i.e. VPN is not working

 

SRX100 running configuration is as attached.

 

A quick response shall higly be appreciated.

 

Regards.

Adnan

 

Hi,

 

You may want to add "host-inbound-services" within the below config... To allow the TelenorVPN accept IKE traffic.. You have currently added that config under your untrust zone which does not host your st0.2 interface.

 

security-zone TelenorVPN {
            interfaces {
                st0.2;
            }

Dear wendohw

 

Below config was done but still no success.

 

 

security-zone TelenorVPN {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
        interfaces {
                st0.2;
        }
}

I believe there should be a Policy to accept traffic from "untrust" zone to "TelenorVPN" zone (hosting st0.2) . Traffic is arriving on "untrust", right? ...If so, then maybe return traffic is being dropped..

 

Create that Policy and test..

Dear wendohw

Below config was done but still no success.

 

        from-zone trust to-zone TelenorVPN {
            policy trust-telenor {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone TelenorVPN to-zone trust {
            policy telenor-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone TelenorVPN {
            policy untrust-telenor {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone TelenorVPN to-zone untrust {
            policy telenor-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }

 

When I tracert IP 202.69.12.201 (i.e. Remote Gateway) from my PC it finds the destination IP but when I traceroute the same from Juniper CLI the it drops just one hop before the destination IP.

 

 

admin@Stepnex> show route 202.69.15.161

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

202.69.15.161/32   *[Static/5] 00:23:00
                    > via st0.2

admin@Stepnex> admin@Stepnex>

 Sitll no data traffic to remote encrypted domain.

 

Regards,

 

Muhammad Adnan

Hi,

 

Do,

 

> "restart ipsec-key-management" and try the ping once more... If still not working..

 

Then,

 

Can you provide the below output? This includes traceoptions...So,

 

> show interfaces extensive st0.2

> show security flow session source-prefix x.x.x.x/24 destination-prefix x.x.x.x/24  (Need to confirm if traffic is matching the policy you just created)

 

For Traceoptions;

 

set security ike traceoptions file FILE-NAME size 5m files 5 world-readable
set security ike traceoptions flag ike
set security ike traceoptions flag general
set security ipsec traceoptions flag security-associations
set security ipsec traceoptions flag packet-drops
set security ipsec traceoptions flag packet-processing

 

Repeat the ping and collect information

 

>show log FILE-NAME

 

 

Dear 

 

My skype id is m.adnan80, add and i will give you full access to juniper router.

 

Thanks

Dear Wendohw

 

1. The "show interface extensive st0.2 output is :

 

admin@Stepnex> show interfaces extensive st0.2
  Logical interface st0.2 (Index 69) (SNMP ifIndex 536) (Generation 149)
    Description: Telenor_tunnel
    Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Traffic statistics:
     Input  bytes  :                  720
     Output bytes  :                12160
     Input  packets:                    6
     Output packets:                  179
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                 2172
     Input  packets:                    0
     Output packets:                   20
    Transit statistics:
     Input  bytes  :                  720                    0 bps
     Output bytes  :                 9988                    0 bps
     Input  packets:                    6                    0 pps
     Output packets:                  159                    0 pps
    Security: Zone: TelenorVPN
    Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset
    http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     6
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0
    Flow Output statistics:
      Multicast packets :                0
      Bytes permitted by policy :        10844
    Flow error statistics (Packets dropped due to):
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0
      No minor session:                  0
      No more sessions:                  0
      No NAT gate:                       0
      No route present:                  0
      No SA for incoming SPI:            0
      No tunnel found:                   0
      No session for a gate:             0
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0
    Protocol inet, MTU: 9192, Generation: 168, Route table: 0
      Flags: Sendbcast-pkt-to-re

admin@Stepnex>

 2. 

 

admin@Stepnex> ... flow session source-prefix 172.16.10.8 destination-prefix 202.69.15.161
Session ID: 59041, Policy name: trust-telenor/4, Timeout: 44, Valid
  In: 172.16.10.8/1214 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1214;icmp, If: st0.2, Pkts: 0, Bytes: 0

Session ID: 59043, Policy name: trust-telenor/4, Timeout: 48, Valid
  In: 172.16.10.8/1215 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1215;icmp, If: st0.2, Pkts: 0, Bytes: 0

Session ID: 59045, Policy name: trust-telenor/4, Timeout: 54, Valid
  In: 172.16.10.8/1216 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1216;icmp, If: st0.2, Pkts: 0, Bytes: 0

Session ID: 59047, Policy name: trust-telenor/4, Timeout: 58, Valid
  In: 172.16.10.8/1217 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1217;icmp, If: st0.2, Pkts: 0, Bytes: 0
Total sessions: 4

admin@Stepnex>

 3. Log file output after ping

admin@Stepnex> show log flow-trace.log
Sep 19 09:35:16 Stepnex clear-log[31590]: logfile cleared
[Sep 19 09:35:26]ikev2_packet_allocate: Allocated packet d91800 from freelist
[Sep 19 09:35:26]ike_sa_find: Found SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f }
[Sep 19 09:35:26]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Sep 19 09:35:26]ike_get_sa: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f } / d257e269, remote = 202.125.152.237:500
[Sep 19 09:35:26]ike_sa_find: Found SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f }
[Sep 19 09:35:26]ike_alloc_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}
[Sep 19 09:35:26]ike_decode_packet: Start
[Sep 19 09:35:26]ike_decode_packet: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f} / d257e269, nego = 0
[Sep 19 09:35:26]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Sep 19 09:35:26]ike_st_i_gen_hash: Start, hash[0..16] = 1326273e b468b34c ...
[Sep 19 09:35:26]ike_st_i_n: Start, doi = 1, protocol = 1, code = DPD Are You There (36136), spi[0..16] = ac3c3522 e1866ca9 ..., data[0..4] = 117c76ae 00000000 ...
[Sep 19 09:35:26]ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
[Sep 19 09:35:26]ike_sa_find_ip_port: Remote = all:500, Found SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}
[Sep 19 09:35:26]ike_alloc_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}
[Sep 19 09:35:26]ssh_ike_connect_notify: SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 1
[Sep 19 09:35:26]ike_encode_packet: Start, SA = { 0xac3c3522 e1866ca9 - a9e8da30 a907935f } / 6963f6e5, nego = 1
[Sep 19 09:35:26]ike_send_packet: Start, send SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 1, dst = 202.125.152.237:500,  routing table id = 0
[Sep 19 09:35:26]ike_delete_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 1
[Sep 19 09:35:26]ike_free_negotiation_info: Start, nego = 1
[Sep 19 09:35:26]ike_free_negotiation: Start, nego = 1
[Sep 19 09:35:26]ike_st_i_private: Start
[Sep 19 09:35:26]ike_send_notify: Connected, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 0
[Sep 19 09:35:26]ike_delete_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 0
[Sep 19 09:35:26]ike_free_negotiation_info: Start, nego = 0
[Sep 19 09:35:26]ike_free_negotiation: Start, nego = 0
[Sep 19 09:35:46]ikev2_packet_allocate: Allocated packet d91c00 from freelist
[Sep 19 09:35:46]ike_sa_find: Found SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f }
[Sep 19 09:35:46]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Sep 19 09:35:46]ike_get_sa: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f } / bc621b41, remote = 202.125.152.237:500
[Sep 19 09:35:46]ike_sa_find: Found SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f }
[Sep 19 09:35:46]ike_alloc_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}
[Sep 19 09:35:46]ike_decode_packet: Start
[Sep 19 09:35:46]ike_decode_packet: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f} / bc621b41, nego = 0
[Sep 19 09:35:46]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Sep 19 09:35:46]ike_st_i_gen_hash: Start, hash[0..16] = 2ae4498c 9f84aee6 ...
[Sep 19 09:35:46]ike_st_i_n: Start, doi = 1, protocol = 1, code = DPD Are You There (36136), spi[0..16] = ac3c3522 e1866ca9 ..., data[0..4] = 117c76af 00000000 ...
[Sep 19 09:35:46]ssh_ike_connect_notify: Start, remote_name = :500, flags = 00010000
[Sep 19 09:35:46]ike_sa_find_ip_port: Remote = all:500, Found SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}
[Sep 19 09:35:46]ike_alloc_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}
[Sep 19 09:35:46]ssh_ike_connect_notify: SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 1
[Sep 19 09:35:46]ike_encode_packet: Start, SA = { 0xac3c3522 e1866ca9 - a9e8da30 a907935f } / 0c09b316, nego = 1
[Sep 19 09:35:46]ike_send_packet: Start, send SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 1, dst = 202.125.152.237:500,  routing table id = 0
[Sep 19 09:35:46]ike_delete_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 1
[Sep 19 09:35:46]ike_free_negotiation_info: Start, nego = 1
[Sep 19 09:35:46]ike_free_negotiation: Start, nego = 1
[Sep 19 09:35:46]ike_st_i_private: Start
[Sep 19 09:35:46]ike_send_notify: Connected, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 0
[Sep 19 09:35:46]ike_delete_negotiation: Start, SA = { ac3c3522 e1866ca9 - a9e8da30 a907935f}, nego = 0
[Sep 19 09:35:46]ike_free_negotiation_info: Start, nego = 0
[Sep 19 09:35:46]ike_free_negotiation: Start, nego = 0

admin@Stepnex>

 

 

 

Dear all,

 

There is one more thing that is confusing me a lot. In "show security flow session source-prefex 172.16.10.8 destination-prefex 202.69.15.161 extensive" command the output is as:

 

admin@Stepnex> show security flow session source-prefix 172.16.10.8 destination-prefix 202.69.15.161 extensive
Session ID: 59269, Status: Normal
Flag: 0x40
Policy name: trust-telenor/4
Source NAT pool: Null
Dynamic application: junos:UNKNOWN,
Maximum timeout: 60, Current timeout: 56
Session State: Valid
Start time: 340007, Duration: 5
   In: 172.16.10.8/1222 --> 202.69.15.161/1;icmp,
    Interface: fe-0/0/1.0,
    Session token: 0x6, Flag: 0x21
    Route: 0xd0010, Gateway: 172.16.10.8, Tunnel: 0
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 1, Bytes: 60
   Out: 202.69.15.161/1 --> 172.16.10.8/1222;icmp,
    Interface: st0.2,
    Session token: 0x8, Flag: 0x20
    Route: 0x230010, Gateway: 202.69.15.161, Tunnel: 537001986
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 0, Bytes: 0

Total sessions: 2
admin@Stepnex> 

 In the above output the In request is processed through fe-0/0/1.0 with Tunnel=0, while the out lines shows that Interface is st0.2 having some tunnel ID. 

 

Why there is no tunnel ID for IN traffic from 172.16.10.8?

 

Hi

 

Decrypted packets count has more than 4 count. may be there are other traffic from remote side towards your network,.

 

Incoming traffic will not have tunnel id i think but not sure.

 

Incoming packet will be ESP packet and it will match the ESP session on the SRX and if the SPI values match , it will get decrypted. if the SPI value is not right , then it will get dropped without decryption.

 

As per the statistics output , looks like incoming packets are getting decrypted but it is not matching the ICMP session.

 

Configure the following flow traceoptions with packet filters as :

 

1. packet-filter P1 source-address 172.16.10.8 destination-address 202.69.15.161

2. Packet filter P2 source-address 202.69.15.161 destination-address 172.16.10.8

3. packet filter P3 source-address 203.215.166.85 destination address 202.69.12.201 protocol ESP
4. packet filter P4 source-address 202.69.12.201 destination address 203.215.166.85 protocol ESP

 

 

Clear the ipsec  statistics  and set the security flow traceotions file size 5M files 4

 

send 4 icmp packets and share the following outputs:

 

1. show security flow session tunnel

2,. show securty flow session source prerfix 172.16.10.8 destination prefix 202.69.15.161

3. show security ike sa

4. show security ipsec sa

5. show security ipsec sa index id detail

 

then flow traceoptions file.

 

Regards,

Parthi

Hi Muhammad Adnan,

 

I checked the configuration and found that VPN monitoring is wrongly configured.

vpn ipsec-vpn-telenor {
            bind-interface st0.2;
            vpn-monitor {
                optimized;
                source-interface fe-0/0/0; <<<<<<<<<<<<<<<< Wrong interface
                destination-ip 202.69.15.161;
            }

 

SRX will be generating ESP packets with source ip address as 203.215.166.85.

Remote 3rd party vendors will not accept esp packet with ip address as 203.215.166.85.

 

Because of it , ipsec tunnel will be flapping.

 

I would suggest the following:

1. Disable VPN Monitoring and check the vpn connectivity.

2. Then continuous initiate a Ping from 172.16.10.8 to 202.69.15.161

3. from the CLI , run show security flow session source prefix 172.16.10.8 and share the output.

4. show security ipsec statistics index (index-id for this tunnel)
5. show security ipsec security-association
6. show security ipsec security-association index id detail

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Needful changes made to configuration.

 

admin@Stepnex> show configuration security ipsec
traceoptions {
    flag security-associations;
    flag packet-drops;
    flag packet-processing;
}
proposal ipsec-proposal-telenor {
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
}
policy ipsec-policy-telenor {
    proposals ipsec-proposal-telenor;
}
vpn ipsec-vpn-telenor {
    bind-interface st0.2;
    ike {
        gateway ike-gate-telenor;
        proxy-identity {
            local 172.16.10.8/32;
            remote 202.69.15.161/32;
            service any;
        }
        ipsec-policy ipsec-policy-telenor;
    }
    establish-tunnels immediately;
}

admin@Stepnex>

 Step 2: Says Request timed out.

Step #: Replies 

admin@Stepnex> show security flow session source-prefix 172.16.10.8
Session ID: 52094, Policy name: AllowAll_untrust_trust/10, Timeout: 1794, Valid
  In: 172.16.10.8/49591 --> 217.146.6.5/5938;tcp, If: fe-0/0/1.0, Pkts: 71, Bytes: 6254
  Out: 217.146.6.5/5938 --> 203.215.166.85/25590;tcp, If: fe-0/0/0.0, Pkts: 38, Bytes: 5569
Total sessions: 1

admin@Stepnex>

 Step 4: Reply

admin@Stepnex> show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131074 ESP:aes-256/sha1 6da10ab4 2719/ unlim -  root 500   202.69.12.201
  >131074 ESP:aes-256/sha1 39f7c210 2719/ unlim -  root 500   202.69.12.201

admin@Stepnex>

 Step 5: Reply

admin@Stepnex> show security ipsec sa detail
  ID: 131074 Virtual-system: root, VPN Name: ipsec-vpn-telenor
  Local Gateway: 203.215.166.85, Remote Gateway: 202.69.12.201
  Local Identity: ipv4(any:0,[0..3]=172.16.10.8)
  Remote Identity: ipv4(any:0,[0..3]=202.69.15.161)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.2

  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 6da10ab4, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2664 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2042 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 39f7c210, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2664 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2042 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64


admin@Stepnex>

 Thanks.

Hi Muhammed,

 

Please provide the correct security flow session.

 

current session is not for actual destination:202.69.15.161

 

In: 172.16.10.8/49591 --> 217.146.6.5/5938;tcp, If: fe-0/0/1.0, Pkts: 71, Bytes: 6254
  Out: 217.146.6.5/5938 --> 203.215.166.85/25590;tcp, If: fe-0/0/0.0, Pkts: 38, Bytes: 5569

 

From the PC , ping 202.69.15.161 and do this search:

 

show security flow session source prefix 172.16.10.8 and destination prefix as 202.69.15.161

 

after collecting the outputs , clear the vpn tunnel and then test again.

 

clear security ipsec sa index id

clear security ike sa index id

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 

The requested information is as under:

 

admin@Stepnex> show security flow session source-prefix 172.16.10.8
Session ID: 52788, Policy name: trust-telenor/4, Timeout: 52, Valid
  In: 172.16.10.8/1131 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1131;icmp, If: st0.2, Pkts: 0, Bytes: 0

Session ID: 52789, Policy name: trust-telenor/4, Timeout: 58, Valid
  In: 172.16.10.8/1132 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1132;icmp, If: st0.2, Pkts: 0, Bytes: 0
Total sessions: 2

admin@Stepnex>

 After getting above output, ipsec and ike cleared and again ping from PC to set with result "Request timed out...".

 

Hi,

 

In: 172.16.10.8/1131 --> 202.69.15.161/1;icmp, If: fe-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 202.69.15.161/1 --> 172.16.10.8/1131;icmp, If: st0.2, Pkts: 0, Bytes: 0 <<<<< Reply is 0

 

 

From the above output , SRX is correctly processing the packet and sending it across the VPN tunnel st0.2

 

so it looks like SRX is processing it but there is no reply packets from the remote 3rd party device.

 

show security ipsec statistics index number will show that encrypted packets will increase but decrypt couter will be 0.

 

Please work with remote support to troubleshoot why remote party is not replying to the ICMP request.

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Thanks for your kind support, I will followup the remote side configuration. When data sending start our the traffic i will mark the post as accepted solution.

 

Dear,

 

Below is the statistics of ipsec, please have a look at it as its receiving alots of bytes and just a few when i start pinging the remote. Moreover remote person says that from my side data out is ok and no receiving. 

 

admin@Stepnex> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:              560
  Decrypted bytes:             1980
  Encrypted packets:              5
  Decrypted packets:             33
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

admin@Stepnex>

 

Hi Muhammad Adnan Khan

 

Clear the ipsec statistics.

 

then send 4 icmp request to remote end point and then check the statistics again and update the session and ipsec statistics.

 

Regards,

rparthi

Dear Rparthi

 

The required output from show security ipsec statistics is:

 

admin@Stepnex> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:              480
  Decrypted bytes:              780
  Encrypted packets:              4
  Decrypted packets:             13
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

admin@Stepnex>

 

Hey,

VPN monitoring, when enabled yet remote device is non- juniper, causes flapping, as rparthi said.

Looks like a known issues. See this KB for some alternatives, or work arounds...

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23039&actp=RSS