SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Troubleshooting VPN SRX210 --> PIX535

    Posted 10-04-2011 06:53

    Hi all, i need yours knowledge for help me please. I configured VPN policy-based from SRX210 to PIX535, but vpn is DOWN, i wanted information in the web (google, juniper.net, etc) but not have one solution. I configured trace-option in the SRX and see following:

     

    show log kmd
    Oct  4 08:52:03 ike_st_o_private: Start
    Oct  4 08:52:03 ike_policy_reply_private_payload_out: Start
    Oct  4 08:52:03 ike_encode_packet: Start, SA = { 0x4e80e37d 85197171 - 00000000
    00000000 } / 00000000, nego = -1
    Oct  4 08:52:03 ike_send_packet: Start, send SA = { 4e80e37d 85197171 - 00000000
     00000000}, nego = -1, src=192.168.41.222:500, dst = 206.49.166.253:500, routi
    ng table id = 0
    Oct  4 08:52:03 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
    } / 00000000, remote = 206.49.166.253:500
    Oct  4 08:52:03 ike_sa_find: Not found SA = { 4e80e37d 85197171 - 0974013e dcca7
    79f }
    Oct  4 08:52:03 ike_sa_find_half: Found half SA = { 4e80e37d 85197171 - 00000000
     00000000 }
    Oct  4 08:52:03 ike_sa_upgrade: Start, SA = { 4e80e37d 85197171 - 00000000 00000
    000 } -> { ... - 0974013e dcca779f }
    Oct  4 08:52:03 ike_decode_packet: Start
    Oct  4 08:52:03 ike_decode_packet: Start, SA = { 4e80e37d 85197171 - 0974013e dc
    ca779f} / 00000000, nego = -1
    Oct  4 08:52:03 ike_decode_payload_sa: Start
    Oct  4 08:52:03 ike_decode_payload_t: Start, # trans = 1
    Oct  4 08:52:03 ike_st_i_sa_value: Start
    Oct  4 08:52:03 ike_st_i_cr: Start
    Oct  4 08:52:03 ike_st_i_cert: Start
    Oct  4 08:52:03 ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
    Oct  4 08:52:03 Setting natt remote version to 3
    Oct  4 08:52:03 The remote server at 206.49.166.253:500 is 'draft-ietf-ipsec-nat
    -t-ike-02'
    Oct  4 08:52:03 ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
    Oct  4 08:52:03 The remote server at 206.49.166.253:500 is '40 48 b7 d5 6e bc e8
     85 25 e7 de 7f 00 d6 c2 d3 c0 00 00 00'
    Oct  4 08:52:03 ike_st_i_private: Start
    Oct  4 08:52:03 ike_st_o_ke: Start
    Oct  4 08:52:03 ike_st_o_nonce: Start
    Oct  4 08:52:03 ike_policy_reply_isakmp_nonce_data_len: Start
    Oct  4 08:52:03 ike_st_o_private: Start
    Oct  4 08:52:03 ike_policy_reply_private_payload_out: Start
    Oct  4 08:52:03 my_ipaddr_as_ike_id: add <192.168.41.222>
    Oct  4 08:52:03 ike_policy_reply_private_payload_out: Start
    Oct  4 08:52:03 ike_policy_reply_private_payload_out: Start
    Oct  4 08:52:03 ike_encode_packet: Start, SA = { 0x4e80e37d 85197171 - 0974013e
    dcca779f } / 00000000, nego = -1
    Oct  4 08:52:03 ike_send_packet: Start, send SA = { 4e80e37d 85197171 - 0974013e
     dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.49.166.253:500, routi
    ng table id = 0
    Oct  4 08:52:03 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
    } / 00000000, remote = 206.49.166.253:500
    Oct  4 08:52:03 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
    }
    Oct  4 08:52:03 ike_decode_packet: Start
    Oct  4 08:52:03 ike_decode_packet: Start, SA = { 4e80e37d 85197171 - 0974013e dc
    ca779f} / 00000000, nego = -1
    Oct  4 08:52:03 ike_st_i_nonce: Start, nonce[0..20] = 77bac5ad d72c3016 ...
    Oct  4 08:52:03 ike_st_i_ke: Ke[0..128] = 84f8c988 9d24ee97 ...
    Oct  4 08:52:03 ike_st_i_cr: Start
    Oct  4 08:52:03 ike_st_i_cert: Start
    Oct  4 08:52:03 ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
    Oct  4 08:52:03 The remote server at 206.49.166.253:500 is 'CISCO-UNITY'
    Oct  4 08:52:03 ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
    Oct  4 08:52:03 The remote server at 206.49.166.253:500 is 'draft-beaulieu-ike-x
    auth-02.txt'
    Oct  4 08:52:03 ike_st_i_vid: VID[0..16] = fcb3a623 dccb779f ...
    Oct  4 08:52:03 The remote server at 206.49.166.253:500 is 'fc b3 a6 23 dc cb 77
     9f c1 f4 32 fd 89 a8 97 4c'
    Oct  4 08:52:03 ike_st_i_vid: VID[0..16] = 1f07f70e aa6514d3 ...
    Oct  4 08:52:03 The remote server at 206.49.166.253:500 is '1f 07 f7 0e aa 65 14
     d3 b0 fa 96 54 2a 50 01 00'
    Oct  4 08:52:03 ike_st_i_private: Start
    Oct  4 08:52:03 my_ipaddr_as_ike_id: add <192.168.41.222>
    Oct  4 08:52:03 NATT: Match found, local end is NOT behind NAT
    Oct  4 08:52:03 perceived == real remote.
    Oct  4 08:52:03 ike_st_o_id: Start
    Oct  4 08:52:03 ike_st_o_hash: Start
    Oct  4 08:52:04 ike_find_pre_shared_key: Find pre shared key key for 192.168.41.
    222:500, id = ipv4(udp:500,[0..3]=192.168.41.222) -> 206.49.166.253:500, id = No
     Id
    Oct  4 08:52:04 ike_policy_reply_find_pre_shared_key: Start
    Oct  4 08:52:04 ike_calc_mac: Start, initiator = true, local = true
    Oct  4 08:52:04 ike_st_o_status_n: Start
    Oct  4 08:52:04 ike_st_o_private: Start
    Oct  4 08:52:04 ike_policy_reply_private_payload_out: Start
    Oct  4 08:52:04 ike_st_o_encrypt: Marking encryption for packet
    Oct  4 08:52:04 ike_encode_packet: Start, SA = { 0x4e80e37d 85197171 - 0974013e
    dcca779f } / 00000000, nego = -1
    Oct  4 08:52:04 ike_send_packet: Start, send SA = { 4e80e37d 85197171 - 0974013e
     dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.49.166.253:500, routi
    ng table id = 0
    Oct  4 08:52:09 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197
    171 - 0974013e dcca779f}, nego = -1
    Oct  4 08:52:09 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
    .49.166.253:500, routing table id = 0
    Oct  4 08:52:09 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
    } / 00000000, remote = 206.49.166.253:500
    Oct  4 08:52:09 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
    }
    Oct  4 08:52:17 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
    } / 00000000, remote = 206.49.166.253:500
    Oct  4 08:52:17 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
    }
    Oct  4 08:52:17 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
    .49.166.253:500, routing table id = 0
    Oct  4 08:52:17 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
    } / 00000000, remote = 206.49.166.253:500
    Oct  4 08:52:17 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
    }
    Oct  4 08:52:19 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197
    171 - 0974013e dcca779f}, nego = -1
    Oct  4 08:52:19 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
    .49.166.253:500, routing table id = 0
    Oct  4 08:52:19 ike_get_sa: Start, SA = { 4e80e37d 85197171 - 0974013e dcca779f
    } / 3ea7eb41, remote = 206.49.166.253:500
    Oct  4 08:52:19 ike_sa_find: Found SA = { 4e80e37d 85197171 - 0974013e dcca779f
    }
    Oct  4 08:52:19 ike_alloc_negotiation: Start, SA = { 4e80e37d 85197171 - 0974013
    e dcca779f}
    Oct  4 08:52:19 ike_decode_packet: Start
    Oct  4 08:52:19 ike_decode_packet: Start, SA = { 4e80e37d 85197171 - 0974013e dc
    ca779f} / 3ea7eb41, nego = 0
    Oct  4 08:52:19 192.168.41.222:500 (Responder) <-> 206.49.166.253:500 { 4e80e37d
     85197171 - 0974013e dcca779f [0] / 0x3ea7eb41 } Info; Trying to decrypt, but no
     decryption context initialized
    Oct  4 08:52:19 192.168.41.222:500 (Responder) <-> 206.49.166.253:500 { 4e80e37d
     85197171 - 0974013e dcca779f [0] / 0x3ea7eb41 } Info; Error = No SA established
     (8194)
    Oct  4 08:52:19 ike_send_notify: Notification to informational exchange ignored
    Oct  4 08:52:19 ike_delete_negotiation: Start, SA = { 4e80e37d 85197171 - 097401
    3e dcca779f}, nego = 0
    Oct  4 08:52:19 ike_free_negotiation_info: Start, nego = 0
    Oct  4 08:52:19 ike_free_negotiation: Start, nego = 0
    Oct  4 08:52:39 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197
    171 - 0974013e dcca779f}, nego = -1
    Oct  4 08:52:39 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206
    .49.166.253:500, routing table id = 0
    I don't know over VPN and Juniper... and my english not is good...
    If can help me, i will be grateful for
    Thanks


  • 2.  RE: Troubleshooting VPN SRX210 --> PIX535

    Posted 10-05-2011 09:25

    do you have any of your config, are you trying to do nat?



  • 3.  RE: Troubleshooting VPN SRX210 --> PIX535

    Posted 10-05-2011 21:14

    Hi... I am not doing nat... I need make nat for that policy-based vpn.? Why.? in case of be answer is yes.!

     

    Thanks 🙂



  • 4.  RE: Troubleshooting VPN SRX210 --> PIX535

    Posted 10-07-2011 02:26

    Hello Friend,

     

    If possible plz attach config file so that we will help you?



  • 5.  RE: Troubleshooting VPN SRX210 --> PIX535

    Posted 10-07-2011 02:32
    looks like a peer ip or pre share key mismatch in phase 1 establishment


  • 6.  RE: Troubleshooting VPN SRX210 --> PIX535
    Best Answer

    Posted 10-07-2011 10:22

    Hi Rsilva,

     

    The logs suggest continouous retransmission.


    =====================================================================================

    Oct  4 08:52:17 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3.
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.
    .49.166.253:500, routing table id = 0.

    Oct  4 08:52:19 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197.
    171 - 0974013e dcca779f}, nego = -1.
    Oct  4 08:52:19 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3.
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.
    .49.166.253:500, routing table id = 0.

    Oct  4 08:52:19 ike_free_negotiation: Start, nego = 0.
    Oct  4 08:52:39 ike_retransmit_callback: Start, retransmit SA = { 4e80e37d 85197.
    171 - 0974013e dcca779f}, nego = -1.
    Oct  4 08:52:39 ike_send_packet: Start, retransmit previous packet SA = { 4e80e3.
    7d 85197171 - 0974013e dcca779f}, nego = -1, src=192.168.41.222:500, dst = 206.
    .49.166.253:500, routing table id = 0.

    =====================================================================================
    This means that the srx is acting as initiator and the other side is not responding to the
    proposal. I will suggest you to check the logs on the PIX535, to see why it is not responding to
    the proposals. If that is not possible then you need to make PIX535 as the initiator and then view the ike logs on the srx.

     

    Hope this helps.


    Regards,

    Visitor

    -------------------------------------------------------------------------------------------------------

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!