SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  route based site to site - issues

    Posted 05-21-2015 23:39

    Hi good folks!

     

    Again do I have to ask you for help.

     

    this is multipoint setup with one hub and 2 spokes. st0.0 is in /24 range

     

    the vpn is UP(both IKE and IPSEC) but I cannot seem to ping other side of the st0.0 interface.

     

    the setup is similar to another spoke(which works) with only one difference, this spoke is behind NAT(many private routers) with static ips all the way(no need for aggressive mode!?)

     

    from spoke I can ping st0.0 ip but not the st0.0 on the hub

    client behind spoke lan cannot ping hub-lan, traceroute stops at the spoke fw.

     

    any ideas on what is could be?

     

    Thanks!



  • 2.  RE: route based site to site - issues

     
    Posted 05-22-2015 00:22

    can you share the show route output from the hub and spoke for the destination not working.



  • 3.  RE: route based site to site - issues

    Posted 05-22-2015 03:59

    You only need to use aggressive mode on vpn if one of the firewalls has a dynamic ip address for the gateway.  Since your tunnels are up this is good as you are.

     

    How are you doing the routing for the multipoint tunnel?

     

    If it is static routes you also need to create the NHTB entries so the traffic knows which of the multipoint connections to use.

     

    OSPF/BGP will automatically create these entries.  Or if you convert to using separate tunnel interfaces with static routes the issue would clear.



  • 4.  RE: route based site to site - issues

    Posted 05-25-2015 07:28

    Hi guys and thanks for taking time to answering me.

     

    I've been away and wasn't able to answer earlier.

     

    routing for multipoint is dona manually by static routing on both hub and spoke. all routes are checked and I believe are correctly configured.

     

    hub: 

    route 172.26.0.0/24 next-hop 10.11.12.11; spoke1 - works fine

    route 172.26.1.0/24 next-hop 10.11.12.12; spoke2 - does not work

     

    spoke which does not work:

    route 192.168.0.0/24 next-hop st0.0;

     

    NHTB is configured automatically as these are both SRX-devices:

    (i have tried to manually configure NHTB route)

     

    show security ipsec next-hop-tunnels
    10.11.12.11 st0.0 vpn_1 Auto 42.xx.xx.xx.
    10.11.12.12 st0.0 vpn_2 Auto 72.xx.xx.xx

     

    There is another Juniper SRX device in front of the spoke-SRX which does the NAT on the way out.

     

    are there any other things I could check:

    here is similar issue, the threadstarter haven't resolved:

    http://www.juniperforum.com/index.php?topic=22880.0



  • 5.  RE: route based site to site - issues
    Best Answer

    Posted 05-25-2015 07:54

    Hi,

     

    after some more troubleshooting the traffic is flowing.

     

    needed to configure remote identity on the hub for remote gw.