SRX

10.2.143.226 <-> 203.199.178.211 is the traffic flow we want to protect
10.2.143 is on my side .
sometimes the peer say they cannot access the server through vpn

show security ike security-associations
show security ipsec security-associations

is normal

sometimes like this ,but i still can ping 

<131081 ESP:3des/md5 80b58d6 expir/expir - root 500 203.199.178.219
>131081 ESP:3des/md5 c0b8de99 expir/expir - root 500 203.199.178.219

here is the session information
Session ID: 20015439, Policy name: VPN-IMI-HYD-CCT-to-Remote/68, State: Active, Timeout: 10, Valid
In: 10.2.143.226/47 --> 203.199.178.211/19807;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 203.199.178.211/19807 --> 10.2.143.226/47;icmp, If: st0.9, Pkts: 0, Bytes: 0

Session ID: 20151015, Policy name: VPN-IMI-HYD-CCT-to-Remote/68, State: Active, Timeout: 18, Valid
In: 10.2.143.226/51 --> 203.199.178.211/19807;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 203.199.178.211/19807 --> 10.2.143.226/51;icmp, If: st0.9, Pkts: 0, Bytes: 0

Session ID: 20246623, Policy name: VPN-IMI-HYD-CCT-to-Remote/68, State: Active, Timeout: 10, Valid
In: 10.2.143.226/48 --> 203.199.178.211/19807;icmp, If: reth1.803, Pkts: 1, Bytes: 100
Out: 203.199.178.211/19807 --> 10.2.143.226/48;icmp, If: st0.9, Pkts: 0, Bytes: 0

when check log i can see many logs like this

Oct 28 05:31:42 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:47 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:49 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:52 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:52 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=AK煨^A"M- 燗N@, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 05:31:52 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Received delete notification [spi=^D`漆V>蚟HX㎎A^W隡-^KxAK煨uL, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 06:23:47 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:23:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:23:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=8090eaa, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 06:24:51 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:25:01 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:25:01 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=8ffb5ca, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 06:25:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:26:07 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: ISAKMP negotiation retry limit reached [spi=@W^S^]TM-^Q9氽鏭_^Qds, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 06:26:07 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=87bec22, src_ip=41.77.220.137, dst_ip=203.199.178.219]
Oct 28 07:22:57 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 07:23:07 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]
Oct 28 07:23:17 KS-MTC-INTFW01 (FPC Slot 1, PIC Slot 0) SPC1_PIC0 kmd[213]: IKE Phase-1 Failure: Invalid cookie recvd [spi=, src_ip=<none>, dst_ip=203.199.178.219]

when i excute 

clear security ipsec security-associations index 131081 .i can ping again .so is there anyone who meet his before

Attachment(s)

IMI-HYD VPN.txt   12 KB 1 version

Hi caulfiedd,

I think you are using Highend SRX device.

Ensure that time on SPC card and RE are same. if there is difference in time between SPC card and RE , then you will see this expir/expir issue.

Follow this KB article to SYNC the time on SPC card and RE;

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24067&smlogin=true

After correcting the time , verify whether the vpn traffic .

+++++++++++++++++++++++++++++++++

When tunnel comes up and working fine, if for some reason , any peer remove the tunnel , it has to update the remote Party that it has removed the Ipsec SA.

if the delete request is not send to the remote party , then both devices will have ipsec sa with wrong SPI value ( inbound SPI of one device should be outbound SPI of another device and vice versa).

When SPI value are mismatch , then ESP traffic sent by one device will not match ESP session on another device and this traffic will be dropped.

admin@Kasen-FW> show security ipsec security-associations
  ID    Algorithm        SPI       Life:sec/kb  Mon vsys Port  Gateway
<131079   ESP:des/ sha1  8d211f8   28767/unlim   -   root 500  100.100.100.1
>131079   ESP:des/ sha1  d1ace044  28767/unlim   -   root 500  100.100.100.1

When the traffic are not working , check the ipsec sa details on both device.

This inbound SPI value 8d211f8 should be equal to outbound SPI value on other device.
This outbound SPI value d1ace044 should be equal to Inbound SPI value on remote device.

so when you clear the ipsec sa , it will send delete request to the remote device so that both can rekey at the same time with correct SPI values.

I have seen remote 3rd party devices not sending Delete request to SRX to clear the tunnel and rekey when they are cleared on the 3rdparty devices.

Configure VPN monitoring and Dead Peer detection on SRX to detect this failures and clear the tunnel on SRX.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10119&pmv=print

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

thank you for you reply . 

for your first solution, because there are other vpn on my firewall .just this problem has this session.so maybe it is not time different problem

i will try you 2 solution ,and monitoring the vpn stau.thank you 

but i still have a question. there is a router between the firewall and the data flow i want to protect. how can i define the the source ip for monitoring the vpn .waiting for you respond 

Hi ,

In SRX configuration , there is no option to configure source ip address for the vpn monitoring .

only source interface option is available.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

 thank you for your help .but my topoly is is like that   router----FW--------FW---router . the traffic we want to protect begin at  behide the  router , if we use interface on FW, the traffic will not go through vpn .how can i monitor the vpn .

Hi Caulfiedd,

Are you using Juniper devices at  both end's as IPSEC gateway?

Regards,

rparthi

no , on my side is SRX 1400 ,the  peer.ASA , so that is the problem?

Hi Caulfiedd,

Yes , Cisco ASA does not send delete request to the remote peer when tunnel is dropped.

You can use Dead Peer Detection as an alternative to VPN monitoring.

http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/ipsec-dead-peer-detection-understanding.html

Dead peer detection (DPD) is a method that network devices use to verify the current existence and availability of other peer devices.

You can use DPD as an alternative to VPN monitoring. However, you cannot use both features simultaneously. VPN monitoring applies to an individual IPsec VPN, while DPD is configured only in an individual IKE gateway context.

. If the device does not receive an R-U-THERE-ACK message during the interval, it considers the peer dead.

When the device changes the status of a peer device to be dead, the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

• thank you for you help ,i have taken you sugguestion and contiune to monitor the vpn status . i will tell you the result

Hi Caulfiedd,

Did the vpn tunnel stays up?

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

we use ikev1 ,but I  find  that DPD has to be configured on both side when use ikev1, we ask the peer to implement DPD ,their engineer seems konw little about this . they are trying to do that now 

i get a new information , when i  cann't  ping peer ,i use 

clear security ipsec security-associations index 131081 

i will be able to ping the peer again .

what is more on their FW, they provide the log 

ESP packet (SPI= 0x3ED972F3, sequence number= 0x6AA) from 41.77.220.137 (user= 41.77.220.137) to 203.199.178.219.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 203.199.178.211, its source as 10.2.143.233, and its protocol as icmp.  The SA specifies its local proxy as 203.199.178.211/255.255.255.255/ip/0 and its remote_proxy as 10.2.143.160/255.255.255.224/ip/0.

yes the log said  local proxy is 203.199.178.211/32 and remote 10.2.143.160/27.

but on our side  local proxy is 10.2.143.0/24 ,remote 203.199.178.211/32 . 

because i am not the builder of the vpn  , i wondering how it working fine before. anymore ,i have told the peer to confirm the correct local proxy and remote proxy ,and we will change both on our side .thank you for your help , i will let you konw the news , do you have any new suggestion ?

Hi rparthi

     i konw that on my side local proxy is 10.2.143.0/24, remote proxy is 203.199.178.219/25

   but on their side  remote proxy are 10.2.143.160/27 and 10.2.143.224/27 , local proxy is 203.199.178.219/25 

   is that the problem ?

    and every morning the there is a log said 

   Nov  5 06:45:00 KS-MTC-INTFW01 newsyslog[35880]: logfile turned over due to size>1024K 

   and after that there is no log coming .

   i have to clear log message , how can i resolve this problem.

Hi ,

yes , it is a problem.

Either Cisco can change the remote proxy-id as 10.2.143.0/24 or you need to change  SRX configuration  so that it can have  2 subnets as local proxy (10.2.143.160/27 and 10.2.143.224/27 ).

if you decide to change SRX side , then you need 2 Phase configuration .

existing one for st0.9

set security ipsec vpn IMI-HYD-VPN-1 bind-interface st0.9
set security ipsec vpn IMI-HYD-VPN-1 ike gateway IMI-HYD-GW01
set security ipsec vpn IMI-HYD-VPN-1 ike proxy-identity local 10.2.143.160/27

set security ipsec vpn IMI-HYD-VPN-1 ike proxy-identity remote 203.199.178.211/32
set security ipsec vpn IMI-HYD-VPN-1 ike proxy-identity service any
set security ipsec vpn IMI-HYD-VPN-1 ike ipsec-policy IMI-HYD-ipsec-phase2-policy
set security ipsec vpn IMI-HYD-VPN-1 establish-tunnels immediately

and  create a new st0.X for second subnet

set security ipsec vpn IMI-HYD-VPN-1 bind-interface st0.10
set security ipsec vpn IMI-HYD-VPN-1 ike gateway IMI-HYD-GW01
set security ipsec vpn IMI-HYD-VPN-1 ike proxy-identity local 10.2.143.224/27

set security ipsec vpn IMI-HYD-VPN-1 ike proxy-identity remote 203.199.178.211/32
set security ipsec vpn IMI-HYD-VPN-1 ike proxy-identity service any
set security ipsec vpn IMI-HYD-VPN-1 ike ipsec-policy IMI-HYD-ipsec-phase2-policy
set security ipsec vpn IMI-HYD-VPN-1 establish-tunnels immediately

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

thank you very much , i ask the peer to change it . it is a very stupid error . customer always like to change the network without discusse with us,when arise a problem ,they will complain to you and mail to to you, say ,please check. i think it is important to konw the issue is not no our side when working in a isp .we will continue to monitor the vpn and tell you the news .