Screen OS

Hi All,

I have two tunnels, the first tunnel.1 works fine for two sites(I can ping from my site and vise versa)

However the second tunnel.2 --> I can ping to one direction only, I unable to ping back from remote site to hub, probably it something related to the piolicy, but I checked all the configuration it seems like everything defined properly.

Thanks,

Hi,

Have you configured a route to your local IPs on the remote site FW?

Hi,

The remote site is Fortinet and they told me that everything is configured OK on their end.

when they run tracert to my IP address, it's comming to my IPS and then it stopped.

Since I'm relatively new to FireWall/Network I'm wondering what my local IP address.

On my juniper is defined that way:

Network > Routing > Routing Entries

C-> does it mean = Connected?

H-> does it mean = Host Route?

So what is my local IP address should be defined on the remote FireWall? I've defined 192.120.120.0/24, but I started to concern maybe I defined wrong local IP address.

In addition here is my config file:

==================================================================================

unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "xxxx-VPN" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "xxxx-VPN" + tcp src-port 0-65535 dst-port 1723-1723
set service "CustomPPTP" protocol 47 src-port 2048-2048 dst-port 2048-2048
set service "CustomPPTP" + tcp src-port 0-65535 dst-port 1723-1723
set alg pptp enable
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "xxxxx"
set admin password "xxxxxxxxxxxxxxxxxx"
set admin user xxxxv" password "xxxx" privilege "all"
set admin mail server-name "xxxx"
set admin mail mail-addr1 "xxxx"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/0 phy full 100mb
set interface "bri0/0" zone "Untrust"
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/6" zone "Untrust"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
unset interface vlan1 ip
set interface ethernet0/0 ip xxx.xx.35.162/29
set interface ethernet0/0 route
set interface ethernet0/6 ip xxx.xx.2.2/24
set interface ethernet0/6 route
set interface bgroup0 ip xxx.xxx.xxx.25/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/6
set interface tunnel.2 ip unnumbered interface ethernet0/0
set interface tunnel.3 ip unnumbered interface ethernet0/0
set interface "bgroup0" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/6 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/6 manage ping
set interface ethernet0/6 manage telnet
set interface ethernet0/6 manage web
set interface bgroup0 manage ident-reset
set interface bgroup0 manage mtrace
set interface ethernet0/6 vip interface-ip 2048 "ML-VPN" xxx.xxx.xxx.8 manual
set interface ethernet0/0 vip interface-ip 2048 "ML-VPN" xxx.xxx.xxx.8 manual
set interface ethernet0/0 vip interface-ip 21 "FTP" xxx.xxx.xxx.9
set interface ethernet0/0 backup interface ethernet0/6 type track-ip
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option lease 1440000
set interface bgroup0 dhcp server option gateway xxx.xxx.xxx.25
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option dns1 xxx.xxx.xxx.11
set interface bgroup0 dhcp server option wins1 xxx.xxx.xxx.11
set interface bgroup0 dhcp server ip xxx.xxx.xxx.160 to xxx.xxx.xxx.210
unset interface bgroup0 dhcp server config next-server-ip
set interface ethernet0/0 dip interface-ip incoming
set interface ethernet0/6 dip interface-ip incoming
set interface "ethernet0/0" mip xxx.xxx.35.162 host xxx.xxx.100.16 netmask 255.255.255.255 vr "trust-vr"
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain xxx.xxx.35.60
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 xxx.xxx.101.4 src-interface ethernet0/0
set dns host dns2 xxx.xxx.101.5 src-interface ethernet0/0
set dns host dns3 xxx.xxx.101.4 src-interface ethernet0/6
set dns host schedule 06:28
set address "Trust" "xxx.xxx.35.162/32" xxx.xxx.35.162 255.255.255.255
set address "Trust" "xxx.xxx.100.8/32" xxx.xxx.100.8 255.255.255.255
set address "Trust" "xxx.xxx.2.2/32" xxx.xxx.2.2 255.255.255.255
set address "Trust" "xxx.xxx.239.98/32" xxx.xxx.239.98 255.255.255.255
set address "Untrust" "xxx.xxx.0.0/24" xxx.xxx.0.0 255.255.255.0
set address "Untrust" "xxx.xxx.232.0/22" xxx.xxx.232.0 255.255.252.0 "VPN_2 remote IP"
set address "Untrust" "NET-ML-Leicester" xxx.xxx..0.0 255.255.255.0
set crypto-policy
exit
set ike p1-proposal "UK-NewVPN" preshare group2 esp 3des md5 second 28800
set ike p1-proposal "TXT_Proposal_1" preshare group2 esp 3des sha-1 second 86400
set ike p2-proposal "UK-NewVPN-Phase2" no-pfs esp 3des md5 second 3600
set ike p2-proposal "TXT_PRoposal_2" group2 esp 3des sha-1 second 3600
set ike gateway "ML-Leicester" address xxx.xxx.42.75 Main outgoing-interface "bri0/0" preshare "xxxxxxC6l3aqh0nCAbQtVA==" proposal "pre-g2-3des-md5"
set ike gateway "Uk_through_new_line_fiber" address xxx.xxx..42.75 Aggr outgoing-interface "ethernet0/0" preshare "B4dy4KxxxxxxsER9Vnq25R1+w==" proposal "UK-NewVPN"
set ike gateway "Uk_through_Old_line_DSL" address 109.204.42.75 Main outgoing-interface "ethernet0/6" preshare "e4I8JtqExxxxxxbCs8CwR+Nn7P6b/Mg==" proposal "pre-g2-3des-md5"
set ike gateway "TXT_VPN_Phase1" address xxx.xxx.0.196 Main outgoing-interface "ethernet0/0" preshare "dHlI4AKUNxxxxxxinPep22hQ==" proposal "pre-g2-3des-sha"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-ML-Leicester" gateway "ML-Leicester" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "VPN-ML-Leicester" monitor source-interface ethernet0/6 destination-ip xxx.xxx.42.75
set vpn "VPN-ML-Leicester" id 0x1 bind interface tunnel.1
set vpn "VPN-ML-Leicester (new)" gateway "ML-Leicester" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "VPN-ML-Leicester (new)" monitor source-interface ethernet0/0 destination-ip xxx.xxx.42.75
set vpn "Vpn_To_Uk_New_Line" gateway "Uk_through_new_line_fiber" no-replay tunnel idletime 0 proposal "UK-NewVPN-Phase2"
set vpn "Vpn_To_Uk_New_Line" monitor source-interface ethernet0/0 destination-ip xxx.xxx.42.75 optimized
set vpn "Vpn_To_Uk_New_Line" id 0x6 bind interface tunnel.2
set vpn "Vpn_To_Uk_New_Line" dscp-mark 0
set vpn "Uk_through_Old_line" gateway "Uk_through_Old_line_DSL" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Uk_through_Old_line" monitor source-interface ethernet0/6 destination-ip xxx.xxx.42.75
set vpn "Uk_through_Old_line" id 0x5 bind interface tunnel.1
set vpn "Uk_through_Old_line" dscp-mark 0
set vpn "VPN_TXT_Conn" gateway "TXT_VPN_Phase1" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "VPN_TXT_Conn" monitor source-interface ethernet0/0 destination-ip xxx.xxx.0.196 optimized rekey
set vpn "VPN_TXT_Conn" id 0x7 bind interface tunnel.3
set vpn "VPN_TXT_Conn" dscp-mark 0
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "VPN-ML-Leicester" proxy-id local-ip xxx.xxx.100.0/24 remote-ip xxx.xxx.0.0/24 "ANY"
set vpn "Vpn_To_Uk_New_Line" proxy-id local-ip xxx.xxx.100.0/24 remote-ip xxx.xxx.0.0/24 "ANY"
set vpn "Uk_through_Old_line" proxy-id local-ip xxx.xxx.100.0/24 remote-ip xxx.xxx.0.0/24 "ANY"
set vpn "VPN_TXT_Conn" proxy-id local-ip xxx.xxx.100.0/24 remote-ip xxx.xxx.232.0/22 "ANY"
set policy id 9 from "Untrust" to "Trust" "xxx.xxx.0.0/24" "Any" "ANY" nat src permit traffic priority 0
set policy id 9
exit
set policy id 1 from "Trust" to "Untrust" "Any" "xxx.xxx.0.0/24" "ANY" permit log traffic priority 0
set policy id 1
set log session-init
exit
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 4 name "ML-VPN" from "Untrust" to "Trust" "Any" "xxx.xxx.35.162/32" "ML-VPN" permit log
set policy id 4 disable
set policy id 4
set dst-address "xxx.xxx.2.2/32"
set log session-init
exit
set policy id 13 name "FTP" from "Untrust" to "Trust" "Any" "xxx.xxx.35.162/32" "FTP" nat src permit log
set policy id 13 disable
set policy id 13
set dst-address "xxx.xxx.2.2/32"
set log session-init
exit
set policy id 8 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 8
exit
set policy id 11 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 11
exit
set policy id 14 name "a-ftp" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "FTP" permit
set policy id 14
exit
set policy id 15 name "FTP Access through old Line p06" from "Untrust" to "Trust" "Any" "VIP(ethernet0/6)" "FTP" permit
set policy id 15
exit
set policy id 19 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
set policy id 19
exit
set policy id 20 from "Untrust" to "Trust" "Any" "VIP(ethernet0/6)" "ML-VPN" nat dst ip xxx.xxx.100.8 permit
set policy id 20 disable
set policy id 20
exit
set policy id 21 from "Untrust" to "Trust" "Any" "xxx.xxx.239.98/32" "ML-VPN" nat dst ip xxx.xxx.2.2 permit
set policy id 21
exit
set policy id 22 from "Untrust" to "Trust" "Any" "VIP(ethernet0/6)" "ML-VPN" nat dst ip xxx.xxx.239.98 permit
set policy id 22
exit
set policy id 23 from "Untrust" to "Trust" "Any" "xxx.xxx.35.162/32" "ML-VPN" permit
set policy id 23
exit
set policy id 16 name "allow_vpn_pc_connection" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "ML-VPN" permit log
set policy id 16
set log session-init
exit
set policy id 24 name "alex" from "Untrust" to "Trust" "xxx.xxx.0.0/24" "xxx.xxx.35.162/32" "ANY" permit
set policy id 24
exit
set policy id 25 name "Voip-Connection" from "Untrust" to "Trust" "xxx.xxx.0.0/24" "MIP(xxx.xxx.35.162)" "VOIP" permit
set policy id 25
exit
set policy id 26 from "Trust" to "Untrust" "Any" "xxx.xxx.232.0/22" "ANY" permit log traffic priority 0
set policy id 26
set log session-init
exit
set policy id 27 name "TXT_VPN_Conn" from "Untrust" to "Trust" "xxx.xxx.232.0/22" "xxx.xxx.35.162/32" "ANY" permit
set policy id 27
exit
set policy id 28 from "Untrust" to "Trust" "xxx.xxx.232.0/22" "Any" "ANY" nat src permit traffic priority 0
set policy id 28
exit
set nsmgmt report proto-dist enable
set nsmgmt report statistics ethernet enable
set nsmgmt report statistics attack enable
set nsmgmt report statistics flow enable
set nsmgmt report statistics policy enable
set nsmgmt report alarm traffic enable
set nsmgmt report alarm attack enable
set nsmgmt report alarm other enable
set nsmgmt report alarm di enable
set nsmgmt report log config enable
set nsmgmt report log info enable
set nsmgmt report log self enable
set nsmgmt report log traffic enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "xxx.xxx.15.28"
set ntp server src-interface "ethernet0/0"
set ntp server backup1 "xxx.xxx.15.29"
set ntp server backup1 src-interface "ethernet0/0"
set ntp interval 600
set wlan 0 channel auto
set wlan 1 channel auto
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway xxx.xxx.35.161
set route xxx.xxx..0.0/24 interface tunnel.2 metric 2
set route xxx.xxx.0.0/24 interface ethernet0/6 gateway xxx.xxx.2.1 metric 3 permanent
set route xxx.xxx.232.0/22 interface tunnel.3
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

===================================================================================

Thanks in advance for assistanse!

Hi,

>>>C-> does it mean = Connected?: Yes

>>>H-> does it mean = Host Route?: Yes

>>>So what is my local IP address should be defined on the remote FireWall? I've defined 192.120.120.0/24, but I started to concern maybe I defined wrong local IP address.
The remote side should have a route for 192.120.120.0/24

You mentioned that the trace stops at IPS, is IPS directly placed in front of the firewall? As the VPN tunnel terminates on the firewall, when the packet is received on IPS it should still be encrypted.
Is the trace coming through the VPN tunnel?
I hope that from remote site you are trying to ping the bgroup0 interface ip address.

From the list of policies can you please point out the policies that are used for this VPN?

Regards.
Hardeep

Hi,

I'm unable to ping my UnTrust zone interface IP address, when I run tracert I can see that it stops on my IPS before the my FireWall, because I can reach my UntRust zone ip address xxx.xxx.35.162/32

Here is my policy 

Remote IP address: xxx.xxx.232.0/22

My UnTrust interface IP address (ethernet0/0): xxx.xxx.35.162/32

=====================================================================================

set policy id 26 from "Trust" to "Untrust" "Any" "xxx.xxx.232.0/22" "ANY" permit log traffic priority 0

set policy id 26
set log session-init
exit
set policy id 27 name "TXT_VPN_Conn" from "Untrust" to "Trust" "xxx.xxx.232.0/22" "xxx.xxx.35.162/32" "ANY" permit
set policy id 27
exit
set policy id 28 from "Untrust" to "Trust" "xxx.xxx.232.0/22" "Any" "ANY" nat src permit traffic priority 0
set policy id 28

=====================================================================================

Thanks in advance,

Hi,

Sorry, I am a bit confused after your latest update.
From the remote site are you trying to ping the untrust interface? Is this connection coming over the VPN?

Also, the untrust to trust policy does not seem right.
From the logs I see you have route as:
set route xxx.xxx..0.0/24 interface tunnel.2 metric 2
Also, bg0 has IP as 192.120.120.0/24

So I would think that untrust to trust policy should be from xxx.xxx..0.0/24 to 192.120.120.0/24

Let me know if this helps.

Regards.
Hardeep

Hi,

Let me clarify it, It's correct I'm trying to ping my UnTrust zone ip address.

UnTrust

xxx.xxx.85.162

Trust zone

My local IP address range is 192.120.120.0/24

Tunnel.2 this is first VPN to another site which is working fine.

I have problem with second VPN which bind to tunnel.3 

I can reach  192.169.232.0/22 site B

But I can't reach (UnTrust) xxx.xxx.85.162 from site B 192.169.232.0/22 site B

In policy trafic log I get following trafic denied

Thanks, 

hello,

As per my understanding there could be 3 reasons for traffic denied in vpn:-

1. The proxy id is mismatching. Since from 6.3 onwards if you have given the proxy id as x.x.0.0/24 and remote as x.x.239.0/24. on both side then the vpn will come up. But then juniper expect traffic source and destinatino also must be in the same range. If the traffic wil hti the juniper firewall and firewall will decrypt it and wil see that source is x.x.120.0/24 whereas in my proxy id souce should be x.x.0.0/24 then it wil deny the connection. And you will see in the policy logs as "traffic denied"

2. Say that i have 2 vpns, 1st is through tunne.2 and 2nd is through tunne.3. Now say that i sent the packet through tunnel.2 but on the remote end there is some route problem and i recieved the packet on tunnel.3. In that case also firewall will say traffic denied because it was expecting reply on tunnel.2 but it came on tunnel.3 so it denied

3. Policy action is denied.

I suggest you to paste a debug flow basic output of the ICMP packet. for going and for the reply recieved. I will check it and let you know the possible reason behind it.

thanks

Hi All,

It's really odd, when I switch(PERMIT) policy ANY to ANY for couple of minutes I was able to run ping from remote site B to my office but this is not weird, the really odd that when I've disabled(Denied) ANY to ANY policy--> Still I can ping from remote site B to my office and everything works fine, I've to notice that the policyc ANY to ANY indeed disabled.

How come?

Thanks,

Ok, to understand it right, you modified the untrust to trust policy as ANY ANY and then ping fro msiteB to your site works fine?

What IP adress are you pinging, untrust interface?

I think a debug will be helpful for better understanding of problem:

set ff src-ip <site B> dst-ip <ip>

undebug all

clear db

debug flow basic

initiate ping

undebug all

get db st

Regards.

Hardeep

Hi,

I've ping from site B to trust zone 192.120.120.0/24,

Anyway so far it works fine,I'm trying to figure out how can I turn on the debug, since I'm using Web Interface and not CLI,

Once I'll find how can I run the debug I'll be running the debug tests and will be posting the results.

Thanks a lot for your assitance!

Hi,

Debug is possible only from CLI.

It is better to have read/write access.

Regards.

Hardeep

Hi,

Once I've added additional third tunnel, when the policy ANY-> ANY set DENY I can't ping again from site B to my office.

Here is debug output:

Remote IP address : 194.128.232.71

My Local IP address  192.120.120.14

I ping from 194.128.232.71 IP to 192.120.120.14

===============================================================================

tunnel.3:194.128.232.71/5329->192.120.120.14/1,1(8/0)<Root>
no session found
flow_first_sanity_check: in <tunnel.3>, out <N/A>
chose interface tunnel.3 as incoming nat if.
flow_first_routing: in <tunnel.3>, out <N/A>
search route to (tunnel.3, 194.128.232.71/5329->192.120.120.14) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 192.120.120.14->192.100.100.14, to bgroup0
routed (x_dst_ip 192.120.120.14) from tunnel.3 (tunnel.3 in 0) to bgroup0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.120.120.14, port 14474, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 11/6/0x8
log this session (pid=11)
policy id (11)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
**** pak processing end.

****** packet decapsulated, type=ipsec, len=60******
ipid = 21477(53e5), @03831f30
tunnel.3:194.128.232.71/5335->192.120.120.14/1,1(8/0)<Root>
no session found
flow_first_sanity_check: in <tunnel.3>, out <N/A>
chose interface tunnel.3 as incoming nat if.
flow_first_routing: in <tunnel.3>, out <N/A>
search route to (tunnel.3, 194.128.232.71->192.120.120.14) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 192.120.120.14->192.120.120.14, to bgroup0
routed (x_dst_ip 192.120.120.14) from tunnel.3 (tunnel.3 in 0) to bgroup0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.120.120.14, port 14468, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 11/6/0x8
log this session (pid=11)
policy id (11)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
**** pak processing end.
flow_ip_send: 4be2:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be3:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be4:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be5:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be6:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be8:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be7:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
flow_ip_send: 4be9:97.74.183.128->192.120.120.103,6 => bgroup0(1300) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (1314)
****** packet decapsulated, type=ipsec, len=60******
ipid = 21479(53e7), @038dbf30
tunnel.3:194.128.232.71/5336->192.120.120.14/1,1(8/0)<Root>
no session found
flow_first_sanity_check: in <tunnel.3>, out <N/A>
chose interface tunnel.3 as incoming nat if.
flow_first_routing: in <tunnel.3>, out <N/A>
search route to (tunnel.3, 194.128.232.71->192.120.120.14) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 5.route 192.120.120.14->192.120.120.14, to bgroup0
routed (x_dst_ip 192.120.120.14) from tunnel.3 (tunnel.3 in 0) to bgroup0
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.120.120.14, port 14467, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 11/6/0x8
log this session (pid=11)
policy id (11)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
**** pak processing end.

 ================================================================================

Thanks in advance,

Hi All,

According my debug output-any suggestions why I can't ping back to main office from site B?

Thanks in advance, 

Hello.

log this session (pid=11)
policy id (11)
packet dropped, denied by policy

Ping is dropped by policy id 11 on the firewall where debug was done.

Regards,

Sam

Thank you Samc, 

I have checked the policy 11, it's policy for "ANY to ANY", it should block everything, I have policy which permit traffic from 194.128.232.71 to ANY why it doesn't work?

Thanks in advance,

Hi,

If you have a policy from untrust to trust and is placed above the policy id 11, then it hould have worked.
Can you share the policy details here.
Also, check the detail of the policy (get policy id <id>) that you have configured to permit traffic.

Regards.
Hardeep

Hi Hardeep,

Could you kindly clarify me what do you mean "placed above the policy id 11" how can I place policy 36 on top of policy 11?

Here is the output of the get policy:

=======================================

get policy id 11
name:"none" (id 11), zone Untrust -> Trust,action Deny, status "enabled"
src "Any", dst "Any", serv "ANY"
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010000, session backup: on, idle reset: on
traffic shaping off, scheduler n/a, serv flag 00
log close, log count 7387, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 1658450, counter(session/packet/octet) 0/0/0
priority 7, diffserv marking Off
tadapter: state off, gbw/mbw 0/0 policing (no)
No Authentication
No User, User Group or Group expression set

=======================================
get policy id 36
name:"none" (id 36), zone Untrust -> Trust,action Permit, status "enabled"
src "194.128.232.71/22", dst "Any", serv "ANY"
Rules on this VPN policy: 0
nat src, Web filtering disabled
vpn unknown vpn, policy flag 00000020, session backup: on, idle reset: on
traffic shaping on, scheduler n/a, serv flag 00
log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 37359, counter(session/packet/octet) 0/0/0
priority 0, diffserv marking Off
tadapter: state on, gbw/mbw 0/0 policing (no)
----------------------------------------------------------------------------
tmng (32): interface tunnel.3 state on priority 0
bw usage [for last one second]: 0 kbps
pak queue(cur/max): 0/110
pak received: 82
pak dropped(out/shared): 0/0
PreShapingBytes (dropped/total): 0/32852
diffserv-marking: 0x0
elapsed time: 133072 ms
gbw/mbw: 0/0 (kbps)
gbw_q/mbw_q: 0/0
shared_tmng: 24
PostShapingBytes(total/borrowed):32852/32852
tokens (regular/borrowd): 0/0
token bucket (gbl/mbl): 2128/2128
tokens(gua/max): 0/0
----------------------------------------------------------------------------
tmng (33): interface bgroup0 state on priority 0
bw usage [for last one second]: 0 kbps
pak queue(cur/max): 0/110
pak received: 73
pak dropped(out/shared): 0/0
PreShapingBytes (dropped/total): 0/8810
diffserv-marking: 0x0
elapsed time: 133073 ms
gbw/mbw: 0/0 (kbps)
gbw_q/mbw_q: 0/0
shared_tmng: 18
PostShapingBytes(total/borrowed):8810/8810
tokens (regular/borrowd): 0/0
token bucket (gbl/mbl): 2128/2128
tokens(gua/max): 0/0
No Authentication
No User, User Group or Group expression set

Thanks in advance,

set policy move 36 before 11

Hi Folks,

Thanks a lot for your assitance, it helped me to set up the VPN and configure it from the scratch.

The move policy solved the issue, now everything works fine!

Regards,

Hello,

I saw the posts here and I believe you can help me to find the problem in my SRX configuration. I Did set up Ipsec VPN between SRX and ASA all Tunnels are up but I could ping one direction from behind ASA to Local Network Behind SRX!

Would you please let me know what should be my Policies order.

Thanks,

Omid Rajaee