SRX Services Gateway
Highlighted
SRX Services Gateway

ALG SERVICES FOR IKE-ESP

‎12-24-2013 01:52 AM

Dear All,

 

Wish you all merry christmaas !!!

 

 

Like to clearify few of the things: One of my client has configured Route based VPN from SRX1400 to a VSAT modem. Behind the SRX1400 there are servers connected and after VSAT modem there is the end device.

 

There are no. of tunnels configured to diffrent diffrent location. What i have seen the VPN works great for traffic coming from a particluar server and for the other server there is an issue. The remote end device if goes power off and comes up the ipsec  should also come up. But what i have seen in SRX it shows IPSEC is up , But from the server lan i am unable to ping the remte end device and it is offline .

 

So is there anything related to ALG here. I have seen many times ALG blocks traffic. Also i have checked one PR for the running version of SRX at customer place. The PR is attached on the PDF. 

 

Please comment and share your views.

JMD

Attachments

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: ALG SERVICES FOR IKE-ESP

‎12-25-2013 06:53 PM

Hi Jaishan,

 

Merry Xmas to u too.

 

The PR you identified is applicable for Pass through VPN i.e. when VPN is not terminated on SRX rather ESP Traffic passing through SRX.

 

However in your case, VPN is terminated on SRX and it is LAN traffic which is affacted.

 

Since you confirmed VPN shows up on SRX hence could you please let me know how do you recover from this issue ?

 

Did you ever do any traceoptions on SRX to see if the packets from this server are going to right tunnel or not ?

 

-Sarab

Highlighted
SRX Services Gateway

Re: ALG SERVICES FOR IKE-ESP

‎12-25-2013 10:09 PM

That i understand,  to recover the issue the device connected to the vsat modem i have to restart couple of times than in some cases it works and in some other cases , we have to disable ipsec on vsat and SRX and than start the device connected to the vsat , it works fine without ipsec, and than re-enable ipsec on both the sites. 

 

We did check traceoption on the SRX but was not usefull.

 

Another question if it is passthrough traffic also , when a bit or traffic is coming from the other end to SRX it will follows the traffic rules to forward it in which if it is a first packet..heck zone, policy nat and alg also . So if alg is enable than how it will treat it? I have seen something that ike-esp will open a gate etc. Could you explain me this?

JMD
Feedback