SRX Services Gateway
SRX Services Gateway

Commit check SRX-240 - error:failed to build dop for policy xxxx

‎10-07-2010 05:55 AM

Hi Guys

Ha anyone seen this error before on commit. I have adding a VPN to my SRX cluster, and each time I load in the policy detail I see this mesage.

srx# commit check
error: Failed to build dop for policy VPN-Pro-xxx-to-Payxxx
error: configuration check-out failed

{primary:node0}[edit]

I have configured several VPNs on this cluster with no problems, this is the first time this has happened,

Thanks

Mooey

5 REPLIES 5
SRX Services Gateway

Re: Commit check SRX-240 - error:failed to build dop for policy xxxx

‎10-07-2010 02:57 PM

Hello,

 

I configured a Policy-Based IPsec VPN on a SRX 210. I got the same message. It was because I didn't set the pair-policy for the other direction.

Example :

root@SRX1# show
from-zone trust to-zone untrust {
policy vpn-lan2{
match {
source-address lan-local;
destination-address lan2;
application any;
}
then {
permit {
tunnel {
ipsec-vpn tunnel1;
pair-policy reverse-vpn;
}

The policy "reverse-vpn" must be defined  (#set security policies from-zone untrust to-zone trust policy reverse-vpn ...)

 

Hope this helps

Regards

SRX Services Gateway

Re: Commit check SRX-240 - error:failed to build dop for policy xxxx

‎01-20-2011 11:03 AM

 

then where we have to configure Reverse policy on the same router where we are getting error

 

Go edit security vpn Reverse-Policy

 

then what would be  credential inside this policy

 

set ike ?

 

Faizan
SRX Services Gateway

Re: Commit check SRX-240 - error:failed to build dop for policy xxxx

‎01-20-2011 11:33 AM

The reverse policy references the same VPN object, it's just defined between the two security zones that are the "reverse" of the security zones that you've defined the first policy in.

 

So if you have a VPN policy configured from-zone untrust to-zone trust, then your reverse policy would be from-zone trust to-zone untrust.  The "pair-policy" lists the name of the policy that you configure in each direction.

 

See my reply in this thread for an example.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
SRX Services Gateway

Re: Commit check SRX-240 - error:failed to build dop for policy xxxx

‎08-08-2013 09:05 AM

Configuring or not configuring pair-policy is not the main reason to cause this error. I have deployed VPN policy-based without this command, and it works properly.

The main reason is the policy from untrust zone to trust zone and vice-verse is not identical. 

SRX Services Gateway

Re: Commit check SRX-240 - error:failed to build dop for policy xxxx

‎08-08-2013 01:21 PM

@hoand wrote:

Configuring or not configuring pair-policy is not the main reason to cause this error. I have deployed VPN policy-based without this command, and it works properly.

The main reason is the policy from untrust zone to trust zone and vice-verse is not identical. 


Well, this thread has risen from the dead.

 

When pair-policy is configured in one policy, but the corresponding policy is not configured, then the error will occur, which is the question that was asked.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.