SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-06-2013 01:52

    Hello All,

     

    I am trying to troubleshoot a VPN tunnel from our SRX210 to a Cisco ASA that's not coming up. I already found this troubleshooting link:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

     

    At one point it states to check the KMD log with this command: show log kmd | match 1.1.1.2  or  show log kmd | find 1.1.1.2 

     

    But then of course with the IP address of the Cisco ASA endpoint. But I find litterally 0 entries. In general there are almost no VPN issue entries in the log even though I have had plenty issues in the past. I know I am the initiating side but I would still expect some errors with details about why the tunnel is failing (PSK Mismatch, P1 proposal Mismatch etc.) 

     

    Do I have to enable some kind of debug logging before these entries are entered into the KMD log?

    I used this command once: request security ike debug-enable level 15 local <local ip> remote <remote ip>

     

    But then the KMD got flooded with way TO much info. It was hard to find the entries that really mattered.

     

    I have to say, all this stuff was WAY easier to troubleshoot on our old Netscreen 5GT;s !!

     

    thanks for any help, it is greatly appreciated.



  • 2.  RE: Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-06-2013 06:05

    I contacted Juniper support and they told me to enable trace options. 
    This is all fine, but I don't see why this wouldn't be documented in this link:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

     

     



  • 3.  RE: Tunnel to Cisco ASA failing - KMD log empty?
    Best Answer

    Posted 02-08-2013 06:28

    Typically, I usually do something like the following:

     

    set security ike traceoptions file ike.log
set security ike traceoptions file size 5m
set security ike traceoptions file files 3
set security ike traceoptions flag ike
set security ike traceoptions flag general

     You can also set the flag to "all" to get really verbose.

     

    I would recommend doing that, and then looking in your ike.log file for the matching entries:

     

    show log ike.log | match 1.1.1.1

     Can you post here what you are seeing?



  • 4.  RE: Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-09-2013 06:28

    Hi Scott,

     

    Do you also mean that, I would need to enable trace-options to be able to see any output from these two commands?

     

    - show security ipsec security-association

    - show security ike security-association



  • 5.  RE: Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-11-2013 05:10
    Basically, yes. Those two commands are just a quick/brief way to see what tunnels you have up and how many SA's you have associated with said tunnel(s).

    The traceoptions file is going to give you lots more detail, as I'm sure you know. You'll be able to see things like a mis-match in proxy-id's (which is common), or authentication/encryption mis-matches, etc.


  • 6.  RE: Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-11-2013 14:47
    @wendohw wrote:

    Hi Scott,

     

    Do you also mean that, I would need to enable trace-options to be able to see any output from these two commands?

     

    - show security ipsec security-association

    - show security ike security-association

     

    You don't need traceoptions to use those commands.  They are operational commands that show you the current IKE (Phase 1) and IPsec (Phase 2) associations.

     

    Traceoptions are Juniper's way of saying "debug."  If you're not doing something that would otherwise require a "debug" command (on ScreenOS, or ASA, etc.) then you probably don't need traceoptions.

     

    I'd also recommend not leaving traceoptions on all the time.  Turn them on, use them, turn them off.  Just like a "debug" command.



  • 7.  RE: Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-14-2013 01:49

    Yeah I got similar commands from Juniper support to set the trace options. It helped a lot in debugging the VPN tunnel which is now online (it was a mismatch between the SRX and the ASA in the traffic that was allowed to pass the tunnel.)


    But like I said it would have been helpfull if that was mentioned in the (otherwise very nice) troubleshooting article:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097

     

    It says to check the KMD log, but unless you enable trace options, this KMD log will be empty.



  • 8.  RE: Tunnel to Cisco ASA failing - KMD log empty?

    Posted 02-22-2013 02:17

    We ran into another issue that I would like to note in this case.

    At one point the VPN tunnel came online but it would drop every few minutes. 


    What we could see in the Cisco logs is that the SRX was sending ICMP packets to the Cisco ASA. The Cisco did not reply to these packets (as this was not agreed in the Crypto ACL) and after a few retries the SRX would tear down the connection (tunnel went down). After another few seconds the tunnel was established again.

     

    We narrowed this down to the 'VPN Monitor' option. Apparently the monitor uses ICMP packets to see if the tunnel is online. We turned off VPN Monitor for this tunnel and then it stayed online.

     

    Hopefully this will be of help for anyone else running into this issue.