SRX

I have been having a ton of issues with a VPN connection between a SRX-240H and a Check Point device.

I have managed to lower the number of IKE sessions I'm seeing by asking the remote side to disable the persistant connection establishment option on the check point (we were seeing ~20-30 IKE SAs!). but even now I am getting very odd results.    Today I am seeing a duplicate of IPSEC sa's (which I have not seen prior to today) ... Occasionally we are seeing drops on the VPN tunnel for brief moments, during those times another ike sa tends to show up with the old ones remaining.    

This is running very stable compared to when I was seeing 20+ IKE sa's ... But it is still an issue and I can't figure out for the life of me why this is happening.

There is 1 tunnel with 1 subnet (policy)

root@obi-fw-01> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6979863 UP a97609f5a9a38078 e4afc2b0c537fd5c Main xxx.xxx.xx.236
6979862 UP 6e06f3992aef2102 afec5dd17921d28a Main xxx.xxx.xx.236

root@obi-fw-01> show security ike security-associations detail
IKE peer xxx.xxx.xx.236, Index 6979863,
Role: Responder, State: UP
Initiator cookie: a97609f5a9a38078, Responder cookie: e4afc2b0c537fd5c
Exchange type: Main, Authentication method: Pre-shared-keys
Local: xx.xxx.xx.xxx:500, Remote: xxx.xxx.xx.236:500
Lifetime: Expires in 6466 seconds
Peer ike-id: xxx.xxx.xx.236
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 888
Output bytes : 756
Input packets: 8
Output packets: 4
Flags: IKE SA is created
IPSec security associations: 1 created, 1 deleted
Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: xx.xxx.xx.202:500, Remote: xxx.xxx.xx.236:500
Local identity: xx.xxx.xx.202
Remote identity: xxx.xxx.xx.236
Flags: IKE SA is created

IKE peer xxx.xxx.xx.236, Index 6979862,
Role: Responder, State: UP
Initiator cookie: 6e06f3992aef2102, Responder cookie: afec5dd17921d28a
Exchange type: Main, Authentication method: Pre-shared-keys
Local: xx.xxx.xx.202:500, Remote: xxx.xxx.xx.236:500
Lifetime: Expires in 6412 seconds
Peer ike-id: xxx.xxx.xx.236
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 812
Output bytes : 832
Input packets: 7
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: xx.xxx.xx.202:500, Remote: xxx.xxx.xx.236:500
Local identity: xx.xxx.xx.202
Remote identity: xxx.xxx.xx.236
Flags: IKE SA is created

root@obi-fw-01> show security ip security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<2 ESP:aes-256/sha1 3a879d2f 6686/ unlim - root 500 xxx.xxx.xxx.236
>2 ESP:aes-256/sha1 59c5e156 6686/ unlim - root 500 xxx.xxx.xxx.236
<2 ESP:aes-256/sha1 567d9685 7305/ unlim - root 500 xxx.xxx.xxx.236
>2 ESP:aes-256/sha1 59c5e158 7305/ unlim - root 500 xxx.xxx.xxx.236

root@obi-fw-01> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: xx.xxx.xx.202, Remote Gateway: xxx.xxx.xx.236
Local Identity: ipv4_subnet(any:0,[0..7]=10.129.146.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.1.0.0/16)
Version: IKEv1
DF-bit: clear
Policy-name: vpnpolicy-1-suitej-to-midco300j

Direction: inbound, SPI: 3a879d2f, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 5725 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5161 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 59c5e156, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 5725 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5161 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: inbound, SPI: 567d9685, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 6344 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5749 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 59c5e158, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 6344 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 5749 seconds
Mode: Tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

-------------

Config:

[edit security ike]

proposal ike-proposal-1 {
authentication-method pre-shared-keys;
inactive: dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike-policy-1 {
mode main;
proposals ike-proposal-1;
pre-shared-key ascii-text xxx; ## SECRET-DATA
}
gateway ike-gate-1 {
ike-policy ike-policy-1;
address xxx.xxx.xx.236;
inactive: dead-peer-detection {
interval 20;
threshold 2;
}
nat-keepalive 60;
local-identity inet xx.xxx.xx.202;
remote-identity inet xxx.xxx.xx.236;
external-interface ge-0/0/14;
local-address xx.xxx.xx.202;
}

[edit security ipsec]
proposal ipsec-proposal-1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ipsec-policy-1 {
proposals ipsec-proposal-1;
}
vpn ipsec-vpn-1 {
}
ike {
gateway ike-gate-1;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}

Hello,

I have the same problem between a SRX-240 and a Checkpoint too...

The symptoms are the same.. duplicate IKE phase 1 in the Checkpoint and some times VPN goes down.

Someone knows about this issue?

Thanks!

Did any of you ever find a solution to the problem?

Same here, a VPN tunnel between Juniper and Checkpoint devices generates duplicate SA's, both IKE and IPSec.

There is one /24 subnet behind the Juniper device and multiple (20+) subnets behind the Checkpoint. No NATing or policies involved on the Juniper side, the tunnel interface and local subnet interface are in the same security zone and routing-instance.

Randomly access from some networks behind the Checkpoint device does not work to the subnet behind the Juniper.

Relevant parts of Juniper configuration, I don't have any access to Checkpoint configuration as it's owned and operated by customer ISP. It might be a single device or a cluster:

> show configuration security ike policy Customername
proposals pre-g2-aes128-sha;
pre-shared-key ascii-text "abcdefg123456"; ## SECRET-DATA

> show configuration security ike gateway Customername
ike-policy Customername;
address 123.123.123.123;
dead-peer-detection {
    interval 15;
    threshold 3;
}
no-nat-traversal;
external-interface ge-0/0/0.0;

> show configuration security ipsec vpn Customername
bind-interface st0.0;
ike {
    gateway Customername;
    ipsec-policy nopfs-esp-aes128-sha;
}
establish-tunnels immediately;

> show configuration routing-instances customer-vr routing-options | match st0.0
    route 192.123.123.0/21 next-hop st0.0;
    route 192.123.12.0/24 next-hop st0.0;
    route 192.123.8.0/24 next-hop st0.0;
    route 192.123.10.0/24 next-hop st0.0;
    route 192.123.21.0/24 next-hop st0.0;

> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
7002451 UP     901474501bcd9611  bbd9bb1634601909  Main           123.123.123.123
7002442 UP     fa038f01f36ffd91  19eef66678288c5c  Main           123.123.123.123

> show security ipsec security-associations
  Total active tunnels: 3
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-128/sha1 1f087e4c 3584/ unlim -  root 500   123.123.123.123
  >131073 ESP:aes-128/sha1 465d537 3584/ unlim -   root 500   123.123.123.123
  <131073 ESP:aes-128/sha1 f1401f21 3591/ unlim -  root 500   123.123.123.123
  >131073 ESP:aes-128/sha1 50092e6c 3591/ unlim -  root 500   123.123.123.123

By the way, the Juniper device is a J2350 running JunOS 12.1X44-D15.5.

Answering to myself, and to anyone else who happens to have the same problem..

Create multiple tunnel interfaces and phase2 vpn configurations using one ike gateway and it works just fine, one per each network pair. Checkpoint devices seem to require creating proxy-id pairs for each network, and not defining proxy-ids is not possible.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB20543&smlogin=true

With policy-based VPNs, if the policy ("vpnpolicy-1-suitej-to-midco300") contains a group source address and a group destination address, whenever one of the users belonging to the address set attempts to communicate with any one of the hosts specified as the destination address, a new tunnel is negotiated and established. Each tunnel created require its own pair of SAs.
You could configure traceoptions for this vpn and you would be able to get a lot of details that will help troubleshoot.

WHat if you added this to both sides?
set security ipsec policy ipsec-policy-1 perfect-forward-secrecy keys group2
If they run similar commands from their side, can you get those results

Local: 13.168.11.100:4500, Remote: 1.1.100.22:4500 the use of ports from 4500 and not port 500 indicates a NAT is taking place between the devices

Here are few additional commands to run may show you some errors if any
show security ipsec security-associations index <index_number> detail
show security ike security-associations index <index_number> detail
show security ipsec statistics
show security ipsec statistics index <index_number>
show interfaces ge-0/0/14 detail or extensive (scroll though look for any errors)
show log kmd

set security ike traceoptions file <ike-name>
set security ike traceoptions flag all
set security ipsec traceoptions file <ipsec-name>
set security ipsec traceoptions flag all
set security flow traceoptions file name <flow-name>
set security flow traceoptions flag tunnel
set security flow traceoptions flag packet-drops
set security flow traceoptions flag errors

If all is said and done mabe turn on vpnmonitoring.

Hello UCTech,

Just to follow on from the last case update, I would like to add that from your debug data, there doesn't appear to be any NAT'ing taking place between the two devices, the detail appears to confirm port 500 - IKE for the tunnel.

There is a KB article for inspecting the Kmd log - useful for VPN troubleshooting, please see link here: KB10097

You can use the Kmd log to filter down the two VPN gateways, please see example below:

show log kmd | match xx.xxx.xx.202  or  show log kmd | xxx.xxx.xx.236 

 Hope this helps with your troubleshooting further.

Thanks,

Kevin.

Sorry about the NAT information. I was working on two different issues and that part got mixed into the post.