SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN SRX-some wired device --> Problems

    Posted 04-01-2014 05:38

    Hi,

    on my SRX I must build a vpn with a netscreen (it's a virtualization on the "cloud", bohh!) .

    With the wizard I made a VPN route based. The VPN doesn't come up. 

    This the debug:

     

    Apr 1 19:44:22 ike_st_o_sa_proposal: Start
    Apr 1 19:44:22 ike_policy_reply_isakmp_vendor_ids: Start
    Apr 1 19:44:22 ike_st_o_private: Start
    Apr 1 19:44:22 ike_policy_reply_private_payload_out: Start
    Apr 1 19:44:22 ike_encode_packet: Start, SA = { 0xb3020ecb efd49cca - 00000000 00000000 } / 00000000, nego = -1
    Apr 1 19:44:22 ike_send_packet: Start, send SA = { b3020ecb efd49cca - 00000000 00000000}, nego = -1, dst = 176.28.114.126:500, routing table id = 0
    Apr 1 19:44:22 ikev2_packet_allocate: Allocated packet bc9400 from freelist
    Apr 1 19:44:22 ike_sa_find: Not found SA = { b3020ecb efd49cca - d2944887 b293f6b0 }
    Apr 1 19:44:22 ikev2_packet_st_input_v1_get_sa: Checking if unauthenticated IKEv1 notify is for an IKEv2 SA
    Apr 1 19:44:22 ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    Apr 1 19:44:22 ike_get_sa: Start, SA = { b3020ecb efd49cca - d2944887 b293f6b0 } / 00000000, remote = 176.28.114.126:500
    Apr 1 19:44:22 ike_sa_find: Not found SA = { b3020ecb efd49cca - d2944887 b293f6b0 }
    Apr 1 19:44:22 ike_sa_find_half: Found half SA = { b3020ecb efd49cca - 00000000 00000000 }
    Apr 1 19:44:22 ike_sa_upgrade: Start, SA = { b3020ecb efd49cca - 00000000 00000000 } -> { ... - d2944887 b293f6b0 }
    Apr 1 19:44:22 ike_alloc_negotiation: Start, SA = { b3020ecb efd49cca - d2944887 b293f6b0}
    Apr 1 19:44:22 ike_decode_packet: Start
    Apr 1 19:44:22 ike_decode_packet: Start, SA = { b3020ecb efd49cca - d2944887 b293f6b0} / 00000000, nego = 0
    Apr 1 19:44:22 ike_st_i_n: Start, doi = 1, protocol = 1, code = Payload malformed (16), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ...
    Apr 1 19:44:22 <none>:500 (Responder) <-> 176.38.114.126:500 { b3020ecb efd49cca - d2944887 b293f6b0 [0] / 0x00000000 } Info; Received notify err = Payload malformed (16) to isakmp sa, delete it
    Apr 1 19:44:22 ike_st_i_private: Start
    Apr 1 19:44:22 ike_send_notify: Connected, SA = { b3020ecb efd49cca - d2944887 b293f6b0}, nego = 0
    Apr 1 19:44:22 ike_delete_negotiation: Start, SA = { b3020ecb efd49cca - d2944887 b293f6b0}, nego = 0
    Apr 1 19:44:22 ike_free_negotiation_info: Start, nego = 0
    Apr 1 19:44:22 ike_free_negotiation: Start, nego = 0
    Apr 1 19:44:22 ike_remove_callback: Start, delete SA = { b3020ecb efd49cca - d2944887 b293f6b0}, nego = -1
    Apr 1 19:44:22 217.182.2.161:500 (Initiator) <-> 176.38.114.126:500 { b3020ecb efd49cca - d2944887 b293f6b0 [-1] / 0x00000000 } IP; Connection got error = 16, calling callback
    Apr 1 19:44:22 ikev2_fb_v1_encr_id_to_v2_id: Unknown IKE encryption identifier -1
    Apr 1 19:44:22 ikev2_fb_v1_hash_id_to_v2_prf_id: Unknown IKE hash alg identifier -1
    Apr 1 19:44:22 ikev2_fb_v1_hash_id_to_v2_integ_id: Unknown IKE hash alg identifier -1
    Apr 1 19:44:22 IKE negotiation fail for local:217.182.2.161, remote:176.38.114.126 IKEv1 with status: Invalid syntax
    Apr 1 19:44:22 IKEv1 Error : Payload malformed
    Apr 1 19:44:22 IPSec Rekey for SPI 0x0 failed
    Apr 1 19:44:22 IPSec SA done callback called for sa-cfg Ingeteam local:217.182.2.161, remote:176.38.114.126 IKEv1 with status Invalid syntax
    Apr 1 19:44:22 ike_delete_negotiation: Start, SA = { b3020ecb efd49cca - d2944887 b293f6b0}, nego = -1
    Apr 1 19:44:22 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
    Apr 1 19:44:22 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
    Apr 1 19:44:22 ike_sa_delete: Start, SA = { b3020ecb efd49cca - d2944887 b293f6b0 }
    Apr 1 19:44:22 ike_free_negotiation_isakmp: Start, nego = -1
    Apr 1 19:44:22 ike_free_negotiation: Start, nego = -1
    Apr 1 19:44:22 IKE SA delete called for p1 sa 6417024 (ref cnt 1) local:217.182.2.161, remote:176.38.114.126, IKEv1
    Apr 1 19:44:22 iked_pm_p1_sa_destroy: p1 sa 6417024 (ref cnt 0), waiting_for_del 0x0
    Apr 1 19:44:23 ike_free_id_payload: Start, id type = 1
    Apr 1 19:44:23 ike_free_sa: Start
    Apr 1 19:44:23 iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
    Apr 1 19:44:23 ike_retransmit_callback: Start, retransmit SA = { fe98ffab 1a0e700b - 00000000 00000000}, nego = -1
    Apr 1 19:44:23 ike_send_packet: Start, retransmit previous packet SA = { fe98ffab 1a0e700b - 00000000 00000000}, nego = -1, dst = 213.208.49.98:500 routing table id = 0

     

     Someone can help me?



  • 2.  RE: VPN SRX-some wired device --> Problems
    Best Answer

    Posted 04-01-2014 07:16

    Payload malformed would indicated a mismatch in the preshared key.



  • 3.  RE: VPN SRX-some wired device --> Problems

    Posted 04-01-2014 07:38

    Hi MMcD,

    we checked the PSK. it's ok



  • 4.  RE: VPN SRX-some wired device --> Problems

    Posted 04-01-2014 08:04

    was the PSK!!! 

    We checked many times the PSK, now I asked to change it and finally the vpn came up.

     

    Thanks a lot 



  • 5.  RE: VPN SRX-some wired device --> Problems

    Posted 04-01-2014 08:10

    Common issue, some characters can be invalid etc.  Always worth changing it on both ends when you see anything like the error above.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB22972