I'm seeing some odd behaviour with an SRX 1400 (12.3X48-D55.4) and the "show security ipsec inactive-tunnels" command. The firewall reports dozens of VPN tunnels as inactive, "Dynamic tunnel configuration is ready. Waiting for peer(s) to initiate negotation (1 times)" as the reason. However, I know for sure that many of these tunnels are actually up and working just fine. Clearing the tunnel and letting the firewalls renegotiate it doesn't affect anything.
Seems like the problem is only relared to aggressive mode / responder role tunnels, main mode tunnels are showing up correctly only if they do have an actual problem. Any idea what could cause that? Google is not really being helpful here..
The message "Tunnel is ready. Waiting for trigger event or peer to trigger negotiation" is an information that the device is ready to negotiate ike but there has been no event triggering it. Either this SRX is not configured to initiate the VPN or it is not receiving IKE packets from the other end.
From what I see from the logs the VPN seems to be working fine. Hence, I suppose the VPN is set with APIPA IP address? Is this seen on both ends of the tunnel or the end which has the static ip?
Shailesh [KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
They are aggressive mode VPNs with dynamic public IP at the other end. IKE configuration looks like this:
username@fwname_node0> show configuration security ike gateway 153001-TunnelNameCensored ike-policy 153001-TunnelNameCensored; dynamic hostname something.something.local; external-interface reth0.0;
username@fwname_node0> show configuration security ike policy 153001-TunnelNameCensored mode aggressive; proposals pre-g2-aes128-sha; pre-shared-key ascii-text "$something"; ## SECRET-DATA
The message itself is pretty self-explanatory, but the reason for it is not. The tunnel is up and the configuration is very simple. Maybe the lack of DPD and monitoring? Although we do have a lot of tunnels with both disabled that are not showing up on the same list.
To clarify, it's not about one tunnel but some 20 out of 120 tunnels on the same firewall. The other end of this example tunnel feels just fine and shows zero inactive tunnels and one active. Doesn't also seem to be every aggressive mode tunnel, just some.