SRX

I have an SRX210 and a SSG320 directly connected running ospf over ipsec. IpSec comes up and OSPF comes FULL. However OSPF dies after 40 seconds (default dead timer). I've had a similar problem in the past becuase I was advertising the external interface into ospf. Im not doing that and Im not doing any import or export policies on either device.

The subnet between the devices is 172.16.40.8/30. When I do a <show route 172.16.40.9> on the srx it says 172.16.40.9 is learned via ospf on st0.0. Why is directly connected route learned via ospf? It should show <connected ge-0/0/0.0>. Packets destined to 172.16.40.9 should not go into the tunnel.

Thanks for looking into this.

root@SRX_394# run show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
6728753 UP     22637fd40e7557d0  8b2a3bde1982c02a  Main           172.16.40.9

[edit]
root@SRX_394# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
  <131073 ESP:aes-256/sha1 4900186 3513/ unlim -   root 500   172.16.40.9
  >131073 ESP:aes-256/sha1 7f4e639a 3513/ unlim -  root 500   172.16.40.9

[edit]
root@SRX_394# run show ospf neighbor
Address          Interface              State     ID               Pri  Dead
172.16.40.9      st0.0                  Full      172.16.49.8        1    33

[edit]
root@SRX_394# run show ospf neighbor detail
Address          Interface              State     ID               Pri  Dead
172.16.40.9      st0.0                  Full      172.16.49.8        1    30
  Area 0.0.0.0, opt 0x2, DR 0.0.0.0, BDR 0.0.0.0
  Up 00:00:50, adjacent 00:00:50
    Link state retransmission list:  1 entries

[edit]
root@SRX_394# run show ospf neighbor detail
Address          Interface              State     ID               Pri  Dead
172.16.40.9      st0.0                  Init      172.16.49.8        1    38
  Area 0.0.0.0, opt 0x2, DR 0.0.0.0, BDR 0.0.0.0

root@SRX_394# run show log messages | match OSPF | last
Nov  6 02:17:48  SRX_394 rpd[30514]: RPD_OSPF_NBRDOWN: OSPF neighbor 172.16.40.9 (realm ospf-v2 st0.0 area 0.0.0.0) state changed from Full to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)
Nov  6 02:17:57  SRX_394 rpd[30514]: RPD_OSPF_NBRUP: OSPF neighbor 172.16.40.9 (realm ospf-v2 st0.0 area 0.0.0.0) state changed from Init to ExStart due to 2WayRcvd (event reason: neighbor detected this router)
Nov  6 02:17:57  SRX_394 rpd[30514]: RPD_OSPF_NBRUP: OSPF neighbor 172.16.40.9 (realm ospf-v2 st0.0 area 0.0.0.0) state changed from Loading to Full due to LoadDone (event reason: OSPF loading completed)
Nov  6 02:18:24  SRX_394 mgd[29214]: UI_CMDLINE_READ_LINE: User 'root', command 'run show log | match OSPF '
Nov  6 02:18:29  SRX_394 mgd[29214]: UI_CMDLINE_READ_LINE: User 'root', command 'run show log messages | match OSPF '
Nov  6 02:18:38  SRX_394 rpd[30514]: RPD_OSPF_NBRDOWN: OSPF neighbor 172.16.40.9 (realm ospf-v2 st0.0 area 0.0.0.0) state changed from Full to Init due to 1WayRcvd (event reason: neighbor is in one-way mode)

root@SRX_394# run show route 172.16.40.9

inet.0: 70 destinations, 71 routes (70 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.40.9/32     *[OSPF/10] 00:00:23, metric 1
                    > via st0.0

SRX210:

set interfaces ge-0/0/0 mtu 1350
set interfaces ge-0/0/0 unit 0 family inet address 172.16.40.10/30
set interfaces st0 unit 0 family inet mtu 1350

set security ike respond-bad-spi 20
set security ike proposal P1 authentication-method pre-shared-keys
set security ike proposal P1 dh-group group2
set security ike proposal P1 authentication-algorithm sha1
set security ike proposal P1 encryption-algorithm aes-256-cbc
set security ike policy BLDG-1_IKE_POLICY mode main
set security ike policy BLDG-1_IKE_POLICY description "VPN to BLDG-1"
set security ike policy BLDG-1_IKE_POLICY proposals P1
set security ike policy BLDG-1_IKE_POLICY pre-shared-key ascii-text "$9$KXSWXNs2aikP24z69Cpu"
set security ike gateway BLDG-1_GW ike-policy BLDG-1_IKE_POLICY
set security ike gateway BLDG-1_GW address 172.16.40.9
set security ike gateway BLDG-1_GW external-interface ge-0/0/0.0
set security ipsec proposal P2 protocol esp
set security ipsec proposal P2 authentication-algorithm hmac-sha1-96
set security ipsec proposal P2 encryption-algorithm aes-256-cbc
set security ipsec proposal P2 lifetime-seconds 3600
set security ipsec policy BLDG-1_IPSEC_POLICY description BLDG-1_IPSEC
set security ipsec policy BLDG-1_IPSEC_POLICY perfect-forward-secrecy keys group2
set security ipsec policy BLDG-1_IPSEC_POLICY proposals P2
set security ipsec vpn BLDG-1_VPN bind-interface st0.0
set security ipsec vpn BLDG-1_VPN df-bit clear
set security ipsec vpn BLDG-1_VPN vpn-monitor source-interface ge-0/0/0.0
set security ipsec vpn BLDG-1_VPN vpn-monitor destination-ip 172.16.40.9
deactivate security ipsec vpn BLDG-1_VPN vpn-monitor
set security ipsec vpn BLDG-1_VPN ike gateway BLDG-1_GW
set security ipsec vpn BLDG-1_VPN ike ipsec-policy BLDG-1_IPSEC_POLICY
set security ipsec vpn BLDG-1_VPN establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces lo0.0

set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces st0.0

root@SRX_394# run show security policies
Default policy: deny-all
From zone: untrust, To zone: trust
  Policy: untrust-to-trust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit
From zone: trust, To zone: untrust
  Policy: trust-to-untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

[edit security zones]
root@SRX_394#

root@SRX_394# show | display set
set protocols ospf traceoptions file debug-ospf
set protocols ospf traceoptions file size 5m
set protocols ospf traceoptions file files 5
set protocols ospf traceoptions flag hello
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface vlan.126 passive
set protocols ospf area 0.0.0.0 interface vlan.190 passive
set protocols ospf area 0.0.0.0 interface vlan.254 passive
set protocols ospf area 0.0.0.0 interface st0.0

SSG320:

BARNEY(trust-vr)-> get conf
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
set reject-default-route
exit
exit
set vrouter "trust-vr"
unset add-default-route
exit
set interface ethernet0/0 protocol ospf area 0.0.0.0
set interface ethernet0/0 protocol ospf enable
set interface ethernet0/0 protocol ospf retransmit-interval 5
set interface ethernet0/0 protocol ospf cost 1
set interface ethernet0/0 protocol ospf authentication md5 "aykqLBxLNma2ZjsD1/CsyYg3NanLvy2QMKZxspVF8SLGytAN18cmxZA=" key-id 1
set interface ethernet0/0 protocol ospf authentication active-md5-key-id 1
set interface ethernet0/2 protocol ospf area 0.0.0.0
set interface ethernet0/2 protocol ospf enable
set interface ethernet0/2 protocol ospf retransmit-interval 5
set interface ethernet0/2 protocol ospf cost 1
set interface ethernet0/2 protocol ospf authentication md5 "fCGZJrgQNdD1zysI1SC2HS48j2nqk6pWW/WvObWVp0pAqf0D6Q3h3Fc=" key-id 1
set interface loopback.8 protocol ospf area 0.0.0.0
set interface loopback.8 protocol ospf passive
set interface loopback.8 protocol ospf enable
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf retransmit-interval 5
set interface tunnel.1 protocol ospf cost 1
BARNEY(trust-vr)->

BARNEY->  get interface e0/3
Interface ethernet0/3:
  description ethernet0/3
  number 7, if_info 7056, if_index 0, mode route
  link up, phy-link up/full-duplex, admin status up
  status change:11, last change:11/05/2012 12:58:38
  vsys Root, zone 394, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 1350, operating mtu 1350, default mtu 1500
  *ip 172.16.40.9/30   mac 6487.884d.3707
  *manage ip 172.16.40.9, mac 6487.884d.3707
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 1000000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled
BARNEY->

set ike p1-proposal "P1" preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal "P2" group2 esp aes256 sha-1 second 3600
set ike gateway "394_GW" address 172.16.40.10 Main outgoing-interface "ethernet0/3" preshare "4sIJeQZsN6TPSps1s8CKTbzbqrnYvdLO7A==" proposal "P1"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "394_VPN" gateway "394_GW" no-replay tunnel idletime 0 proposal "P2"
unset interface tunnel.1 acvpn-dynamic-routing

BARNEY-> get config | include tunnel
set interface "tunnel.1" zone "Trust"
set interface tunnel.1 ip unnumbered interface ethernet0/3
set interface tunnel.1 mtu 1350
set flow reverse-route tunnel always
set vpn "394_VPN" gateway "394_GW" no-replay tunnel idletime 0 proposal "P2"
unset interface tunnel.1 acvpn-dynamic-routing
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf retransmit-interval 5
set interface tunnel.1 protocol ospf cost 1

The config does not seem to be complete. Do you have IP addresses on your tunnel interfaces ?

If not , that is  the reason for this unexpected behaviour .. No IP address on the st0 interface.

KB22154 says that "Currently SRX does not support dynamic routing protocols to run over unnumbered st0 interface since there is no deterministic way to pick the right IP address for the unnumbered interface."

So, configure an IP address on the tunnel interfaces on both sides (in the same network) to resolve this issue.

Thanks for the KB. That resolved my issue. OSPF is stable over IPSEC.