SRX

lab setup:

j2320->srx210 (mock isp router) -> srx210

 

scenario

site to site ipsec vpn carrying ospf. note that srx gets dynamic ip from mock isp router

 

what works:

sa is established and seems to be solid...check

ospf is full on st0.0...partial check 😞

 

problem:

ospf is full on st0.0 but dead timer expires repeatedly

 

jtac is involved. tried mutiple things but none made a difference. jtac asked for configs and they are trying to replicate at this time.

 

Parsed Configs:

 

J2320

set interfaces st0 unit 0 family inet mtu 1432
set interfaces st0 unit 0 family inet address 10.10.10.5/30

set security ike respond-bad-spi 20
set security ike proposal P1 authentication-method pre-shared-keys
set security ike proposal P1 dh-group group2
set security ike proposal P1 authentication-algorithm sha1
set security ike proposal P1 encryption-algorithm aes-256-cbc
set security ike policy TB_policy mode aggressive
set security ike policy TB_policy description "VPN to TB"
set security ike policy TB_policy proposals P1
set security ike policy TB_policy pre-shared-key ascii-text "$9$1nqESl8X-24ZX7i.PfQz"
set security ike gateway TB_rule-ike ike-policy TB_policy
set security ike gateway TB_rule-ike dynamic user-at-hostname "remote@siatss.com"
set security ike gateway TB_rule-ike external-interface ge-0/0/3.0
set security ipsec proposal P2 protocol esp
set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
set security ipsec proposal P2 encryption-algorithm aes-256-cbc
set security ipsec proposal P2 lifetime-seconds 3600
set security ipsec policy TB_POLICY description TB_IPSEC
set security ipsec policy TB_POLICY perfect-forward-secrecy keys group2
set security ipsec policy TB_POLICY proposals P2
set security ipsec vpn TB-rule-ike bind-interface st0.0
set security ipsec vpn TB-rule-ike df-bit clear
set security ipsec vpn TB-rule-ike ike gateway TB_rule-ike
set security ipsec vpn TB-rule-ike ike idle-time 3600
set security ipsec vpn TB-rule-ike ike ipsec-policy TB_POLICY

set protocols ospf traceoptions file DebugOSPF
set protocols ospf traceoptions file size 5m
set protocols ospf traceoptions flag hello
set protocols ospf export advertise_static
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 20
set protocols ospf area 0.0.0.0 interface st0.0 dead-interval 80
set protocols ospf area 0.0.0.0 interface ge-0/0/3.0 passive

 

SRX210:

set interfaces st0 unit 0 family inet mtu 1432
set interfaces st0 unit 0 family inet address 10.10.10.6/30

set security ike proposal P1-1 authentication-method pre-shared-keys
set security ike proposal P1-1 dh-group group2
set security ike proposal P1-1 authentication-algorithm sha1
set security ike proposal P1-1 encryption-algorithm aes-256-cbc
set security ike proposal P1-1 lifetime-seconds 28800
set security ike policy STJ-POLICY mode aggressive
set security ike policy STJ-POLICY description "VPN to STJ"
set security ike policy STJ-POLICY proposals P1-1
set security ike policy STJ-POLICY pre-shared-key ascii-text "$9$uKVOBRcKMXbs4M8GikqPf"
set security ike gateway STJ-GW ike-policy STJ-POLICY
set security ike gateway STJ-GW address 10.10.10.2
set security ike gateway STJ-GW local-identity user-at-hostname "remote@siatss.com"
set security ike gateway STJ-GW external-interface ge-0/0/0.0
set security ipsec vpn-monitor-options interval 3
set security ipsec vpn-monitor-options threshold 10
set security ipsec proposal P2-1 description group2
set security ipsec proposal P2-1 protocol esp
set security ipsec proposal P2-1 authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-1 encryption-algorithm aes-256-cbc
set security ipsec proposal P2-1 lifetime-seconds 3600
set security ipsec policy STJ-POLICY description STJ-IPSEC
set security ipsec policy STJ-POLICY perfect-forward-secrecy keys group2
set security ipsec policy STJ-POLICY proposals P2-1
set security ipsec vpn STJ-VPN bind-interface st0.0
set security ipsec vpn STJ-VPN df-bit clear
set security ipsec vpn STJ-VPN ike gateway STJ-GW
set security ipsec vpn STJ-VPN ike idle-time 3600
set security ipsec vpn STJ-VPN ike ipsec-policy STJ-POLICY
set security ipsec vpn STJ-VPN establish-tunnels immediately

set protocols ospf traceoptions file DebugOSPF
set protocols ospf traceoptions file size 5m
set protocols ospf traceoptions flag hello
set protocols ospf export ospf-export
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 hello-interval 20
set protocols ospf area 0.0.0.0 interface st0.0 dead-interval 80
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface vlan.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive

 

 

 

 

ospf hello debug. why is srx sending hello every 48 sec? default is 10. tried increasing ospf timers (shouldn't have to) at each end but no dice. im out of options...

 

#run sh log DebugOSPF | match "OSPF rcvd Hello 10.10.10.6" | last

Aug 21 13:43:48.144068 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:43:48.162083 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:44:36.541769 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:44:36.554227 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:45:26.382431 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:45:26.398512 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:46:15.804706 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:46:15.821382 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:47:05.151068 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)
Aug 21 13:47:05.168212 OSPF rcvd Hello 10.10.10.6 -> 224.0.0.5 (st0.0 IFL 69 area 0.0.0.0)

Looks like you have your external interfaces (ge-0/0/0, ge-0/0/3 in OSPF as well). Did you try deleting them from it as it may be causing problems?

removed external interfaces from ospf, no change. ospf times out. i should mention that the issue seems to be hello's from the srx not the j. the srx received a hello from the j every 10 sec as expected, but the j receives a hello from the srx every 48 sec if im interpreting the debug correctly. im about to replace the srx with a spare while waiting on suggestions. long shot i know

Hi

 

I tried your config (with the exception of export policy an putting all interfaces in the same zone), and it works fine for me. 

 

What Junos are you using on both ends?

So based on your last message I deactivated the export policy and ospf is stable. I have the same policy applied to production j2320's with ipsec tunnels between and there is no issue. Anyway, i will look into it further. Thanks PK!

Hi

 

My first suggestion was that you receive a route to the other peer via st0 interface which will make st0 bounce. That's why I asked to delete external interfaces from OSPF. But looks like the same was caused by policy (at least I have no other explanation). Can you post how policy looked like?

So I guess this was doing the same as having the external interface in ospf which is why either makes ospf fail. On the SRX the ike gateway is originally routed out the default route to the ISP and SA is established and OSPF loads to full but then the J injects the network of the LOCAL external interface due to term 3 below into OSPF and SRX receives it as external OSPF route. Makes sense now....thanks again and please confirm

 

set policy-options policy-statement routes_out term 1 from protocol static

set policy-options policy-statement routes_out term 1 then accept

set policy-options policy-statement routes_out term 2 from protocol direct

set policy-options policy-statement routes_out term 2 then accept

set policy-options policy-statement routes_out term 3 from protocol local

set policy-options policy-statement routes_out term 3 then accept

set protocols ospf export routes_out

That's clear now. A better route to a tunnel end point comes via tunnel which makes the tunnel bounce, this is a known behavior. Note that term 3 will actually not work (local routes can't be exported). But direct routes (interface subnets) that are exported in term 2 caused your problem.

I faced the same issue with 11.2 code on SRX210 and between other SRX210. I upgraded to 11.4 still facing the same issue.

 

after removing the external interfaces from the ospf configs ospf stays normal. 

 

Thanks to the ppl who posted the solution.

 

Does anybody know which version of JUNOS it would be fixed?

 

Thanks.

Hasan