I'm working with another IT person who has a Cisco to change a VPN between my Juniper and his Cisco.
The original VPN we had which was single-host to single-host worked perfectly (192.168.16.7/32 -> 192.168.1.21/32). We then changed from single-host (his side 192.168.1.21/32) to multi-host on myside (192.168.16.0/24). Although both devices say the VPN is up, I cannot ping his host from my network.
We then switched back to the original host on his end (192.168.1.20/32) and I could ping from the original single host on my side (192.168.16.7) but not from any other host (192.168.16.0/24) even though we had the network setup for multi-host.
How can I tell if my signal is reaching his Cisco or tell where the signal is being dropped at on my side or making it through to his side? I need to prove that my side is reaching his side before this conversation falls down into a "it's your stuff, not mine" conversation or find out what's wrong on my side so I can fix it.
The confusing part is both devices say the VPN is up in all cases which is confusing. Any ideas?
If you are using route based vpn, you can do a "show security flow session source-address/prefix 192.168.16.7 destination-address/prefix 192.168.1.21" and see if the return traffic shows interface as "ST0", if yes its confirmed that packet is leaving SRX via VPN.
If you are using policy based VPN, we need to run "flow traceoptions" and confirm the packet is leaving SRX or dropped by SRX.
WOuld be a little difficult to tell what the problem could be without looking at both configurations. However it sounds like a problem with the security configuration. See if the firewall policy is set only for one single host. Maybe his filter allows only a single host and maybe your firewall policy is for a single host. Also you can turn on debugging and see where the problem is. Can he ping any host from his side to you when you chage the config?
[KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
You can try using the specific Index for the IPSEC which will be found using the "show security ipsec sa" command, once you have the index use "show security ipsec statistics index #" which will show encrypted and decrypted packets, when pings are succesful you should see both counters increment, if the SRX fails you will not see encrypted and if the ASA fails you will not see decrypted.
I have also heard that you can take a wireshark capture on the external interface and even though all packets are encripted you can see the SPI and match it to your specific tunnels SPI so you can see what traffic flow looks like (have never tryed this one) If you only have one tunnel on the specific external interface then it should be pretty easy to identify the traffic.
Besides those options I would set ike debug level to 15 and take ike and ipsec traceoptions for anything out of the ordinary.