SRX Services Gateway
Highlighted
SRX Services Gateway

SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

‎10-02-2015 11:07 AM

Hi,

 

We have 2 SRX220's hooked up via the site-to-site vpn solution. The tunnel is up, that part works fine. When i'm on the srx via ssh, i can reach hosts on the other side of the tunnel, ping, ssh, etc everything works. The st0.0 interface is in the Internet zone, just as the ge-0/0/0 interface

 

However, when I hook a windows machine on the ge-0/0/5 port, which is added in the Internal zone, that machine can't reach anything on the other side. 

 

It looks like a routing or policy thing, but i have no clue.... Attached is the config of one of the SRX's. The other one is similar, but has the opposite IP ranges (192.168.0.0/17 vs 192.168.128.0/17)

 

Your help would be immensly appreciated! I'm out of ideas actually....

 

Thanks

Attachments

8 REPLIES 8
Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

‎10-02-2015 11:34 AM
Hi,

is it the same issue happening to hosts connected to port ge-0/0/4 ?

and could you try to change the routing instance to :

routing-options {
static {
route 192.168.0.0/16 next-hop st0.0;


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

‎10-02-2015 12:10 PM

Yes, the same thing happens to that interface too.

 

We initially had ge-0/0/4 5 and 6 hooked up in vlan.1 (n both sides) and figured that maybe the tagging went wrong. Unfortunately that didn't work

 

We had the static route set to 192.168.0.0/16 before but that ddn't help 😞

 

We also had natting disabled for source and destination matching the ranges in the tunnel

Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

[ Edited ]
‎10-02-2015 12:21 PM

1. Confirm configuration:
admin@srx> show configuration security ike
admin@srx> show configuration security ipsec

 

2. Confirm Phase 1:
admin@srx> show security ike security-associations
--------------------------------------------------------------------------
Index Remote Address State Initiator cookie Responder cookie Mode
6950 [LOCAL PEER IP] UP 33204fba87663d94 70acacd5f938f89b Main

 

3. Confirm Phase 2:
admin@srx> show security ipsec security-associations
node1:
--------------------------------------------------------------------------
Total active tunnels: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 4fb2c1cc 2041/ unlim - root
>131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 3e576ead 2041/ unlim - root

 

4.
admin@srx> show security ipsec statistics index "131073" << for example

 

5. Perform Debug:

admin@srx> configuration
admin@srx# edit security flow traceoptions

[edit security flow traceoptions]
admin@srx# set file vpn-debug
admin@srx# set flag basic-datapath
admin@srx# set flag packet-drops
admin@srx# set level 15

admin@srx# set packet-filter filter1 source-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter1 destination-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter1 protocol esp
admin@srx# set packet-filter filter2 destination-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter2 source-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter2 protocol esp

admin@srx# set packet-filter filter3 destination-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter3 destination-port ssh
admin@srx# set packet-filter filter3 protocol tcp
admin@srx# set packet-filter filter4 source-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter4 destination-port ssh
admin@srx# set packet-filter filter4 protocol tcp

admin@srx# run show log vpn-debug

 

6. Perform debug crypto:

admin@srx> configuration
admin@srx# edit security ike traceoptions

[edit security ike traceoptions]
admin@srx# set file vpn-debug-ike
admin@srx# set flag all
admin@srx# set level 15
admin@srx# top

[edit]
admin@srx# edit security ipsec traceoptions

[edit security ipsec traceoptions]
admin@srx# set file vpn-debug-ipsec
admin@srx# set flag all
admin@srx# set level 15

admin@srx# run show log vpn-debug-ike
admin@srx# run show log vpn-debug-ipsec

 

7. Additional:

root@srx100> start shell
root@srx100% tail -f /var/log/[logfile] | grep -Evi ^$

 

Please upload to forum all those troubleshooting commands output .

 

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

‎10-02-2015 12:31 PM

I will have to run those on monday, i'm not in the office any more.

 

steps 1 to 4 i've already done based on other questions on the forum. the results are similar. Debug i've not run yet, will do that.

 

Again, what the weird part is, that when i ssh into srx-a i can reach machines on the tunneled zone from srx-b and vice versa.

 

Its just that when i'm on the internal zone on either srx-a or srx-b, i can't get the traffic to flow through the tunnel.

Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

‎10-02-2015 12:36 PM
Yes . of course .
Thats why i need to see debug when you do ping or whatever connection to the other site from any PC or Laptop connected to internal .
I don't need to see debug output when you try to reach the other site from SRX SSH .
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

[ Edited ]
‎10-04-2015 11:55 PM

See the below. Can it be that a DHCP server setting is off resulting in the hosts on ge-0/0/4 not routing traffic properly through the tunnel?

 

 

-----------------------------------------------------

 

 

SRX-B
----------------------------------------------------------------------------
### show configuration security ike

policy ike_pol_TheUnderpass {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "XXXXXX"; ## SECRET-DATA
}
gateway gw_TheUnderpass {
ike-policy ike_pol_TheUnderpass;
address 172.18.16.73;
external-interface ge-0/0/0.0;
}

### show configuration security ipsec

policy ipsec_pol_TheUnderpass {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn TheUnderpass {
bind-interface st0.0;
vpn-monitor;
ike {
gateway gw_TheUnderpass;
ipsec-policy ipsec_pol_TheUnderpass;
}
establish-tunnels immediately;
}

### show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address
6869337 UP dd0c48bcafccc09f d0517f745dbedf4e Aggressive 172.18.16.73

### show security ipsec security-associations

Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 5d7b22a 2969/ unlim U root 500 172.18.16.73
>131073 ESP:3des/sha1 be5d5e61 2969/ unlim U root 500 172.18.16.73

### show security ipsec statistics index "131073"

ESP Statistics:
Encrypted bytes: 6329696
Decrypted bytes: 3900704
Encrypted packets: 46545
Decrypted packets: 46405
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

VPN-IKE

[Oct 5 07:49:16]VPNM ping receiver sock=31, s=31
[Oct 5 07:49:16]64 bytes from 172.18.16.73 to 172.18.16.69: icmp_seq=23384 ttl=64 for tunnel id 131073
[Oct 5 07:49:16]VPNM received a valid ping pkt, dup=0, tunnel_id=131073
[Oct 5 07:49:26] iked_vpnm_timer_callback: VPN Monitor timer kicked in
[Oct 5 07:49:26]Get rtbl_idx=0 for ifl idx 71
[Oct 5 07:49:26]PING (172.18.16.73 via 172.18.16.73): 56 data bytes Tunnel-id:131073 outgoing intf 71, rtbl idx 0
[Oct 5 07:49:26]VPNM send ping pkt (84/84) bytes for tunnel 131073, seq 23385
[Oct 5 07:49:26]VPNM ping receiver sock=31, s=31
[Oct 5 07:49:26]64 bytes from 172.18.16.73 to 172.18.16.69: icmp_seq=23385 ttl=64 for tunnel id 131073
[Oct 5 07:49:26]VPNM received a valid ping pkt, dup=0, tunnel_id=131073
[Oct 5 07:49:36] iked_vpnm_timer_callback: VPN Monitor timer kicked in
[Oct 5 07:49:36]Get rtbl_idx=0 for ifl idx 71
[Oct 5 07:49:36]PING (172.18.16.73 via 172.18.16.73): 56 data bytes Tunnel-id:131073 outgoing intf 71, rtbl idx 0
[Oct 5 07:49:36]VPNM send ping pkt (84/84) bytes for tunnel 131073, seq 23386
[Oct 5 07:49:36]VPNM ping receiver sock=31, s=31
[Oct 5 07:49:36]64 bytes from 172.18.16.73 to 172.18.16.69: icmp_seq=23386 ttl=64 for tunnel id 131073
[Oct 5 07:49:36]VPNM received a valid ping pkt, dup=0, tunnel_id=131073


VPN-DEBUG
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:<192.168.242.1/22->192.168.242.25/49992;6> matched filter filter3:
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:packet [184] ipid = 31054, @0x45e842ce
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x45e84080, rtbl_idx = 0
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:flow process pak, mbuf 0x45e84080, ifl 0, ctxt_type 0 inq type 5
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: in_ifp <junos-host:.local..0>
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6d183e70
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:host inq check inq_type 0x5
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:Using vr id from pfe_tag with value= 0
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:Over-riding lpak->vsys with 0
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: .local..0:192.168.242.1/22->192.168.242.25/49992, tcp, flag 18
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: find flow: table 0x51c84018, hash 1710(0xffff), sa 192.168.242.1, da 192.168.242.25, sp 22, dp 49992, proto 6, tok 2
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:Found: session id 0xb342. sess tok 2
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: flow got session.
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: flow session id 45890
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: vector bits 0x2 vector 0x4aaedb10
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:mbuf 0x45e84080, exit nh 0xb0010
Oct 5 07:48:54 07:48:54.130831:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51d08a98 associated with mbuf 0x45e84080
Oct 5 07:48:54 07:48:54.130831:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:<192.168.242.1/22->192.168.242.25/49992;6> matched filter filter3:
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:packet [152] ipid = 31055, @0x45e842ce
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 0, common flag 0x0, mbuf 0x45e84080, rtbl_idx = 0
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:flow process pak, mbuf 0x45e84080, ifl 0, ctxt_type 0 inq type 5
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: in_ifp <junos-host:.local..0>
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 0x6d183e70
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:host inq check inq_type 0x5
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:Using vr id from pfe_tag with value= 0
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:Over-riding lpak->vsys with 0
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: .local..0:192.168.242.1/22->192.168.242.25/49992, tcp, flag 18
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: find flow: table 0x51c84018, hash 1710(0xffff), sa 192.168.242.1, da 192.168.242.25, sp 22, dp 49992, proto 6, tok 2
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:Found: session id 0xb342. sess tok 2
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: flow got session.
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: flow session id 45890
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: vector bits 0x2 vector 0x4aaedb10
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:mbuf 0x45e84080, exit nh 0xb0010
Oct 5 07:48:54 07:48:54.133190:CID-0:RT:flow_process_pkt_exception: Freeing lpak 0x51d08a98 associated with mbuf 0x45e84080
Oct 5 07:48:54 07:48:54.133190:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Oct 5 07:48:54 07:48:54.136902:CID-0:RT:<192.168.242.25/49992->192.168.242.1/22;6> matched filter filter3:
Oct 5 07:48:54 07:48:54.136902:CID-0:RT:packet [40] ipid = 7429, @0x43d8f324
Oct 5 07:48:54 07:48:54.136902:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 15, common flag 0x0, mbuf 0x43d8f100, rtbl_idx = 0
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: flow process pak fast ifl 73 in_ifp ge-0/0/4.0
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: ge-0/0/4.0:192.168.242.25/49992->192.168.242.1/22, tcp, flag 10
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: find flow: table 0x51c84018, hash 62239(0xffff), sa 192.168.242.25, da 192.168.242.1, sp 49992, dp 22, proto 6, tok 6
Oct 5 07:48:54 07:48:54.136902:CID-0:RT:Found: session id 0xb342. sess tok 6
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: flow got session.
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: flow session id 45890
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: vector bits 0x2 vector 0x4aaedb10
Oct 5 07:48:54 07:48:54.136902:CID-0:RT:insert usp tag for apps
Oct 5 07:48:54 07:48:54.136902:CID-0:RT:mbuf 0x43d8f100, exit nh 0xfffb0006
Oct 5 07:48:54 07:48:54.136902:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Oct 5 07:48:54 07:48:54.140362:CID-0:RT:<192.168.242.1/22->192.168.242.25/49992;6> matched filter filter3:
Oct 5 07:48:54 07:48:54.140362:CID-0:RT:packet [1500] ipid = 31056, @0x45e842ce

----------------------------------
SRX-A
----------------------------------

### show configuration security ike

policy ike_pol_TheUnderpass {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "xxxx"; ## SECRET-DATA
}
gateway gw_TheUnderpass {
ike-policy ike_pol_TheUnderpass;
address 172.18.16.69;
external-interface ge-0/0/0.0;
}

### show configuration security ipsec
policy ipsec_pol_TheUnderpass {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn TheUnderpass {
bind-interface st0.0;
vpn-monitor;
ike {
gateway gw_TheUnderpass;
ipsec-policy ipsec_pol_TheUnderpass;
}
establish-tunnels immediately;
}


### show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
709554 UP dd0c48bcafccc09f d0517f745dbedf4e Aggressive 172.18.16.69

### show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 be5d5e61 936/ unlim U root 500 172.18.16.69
>131073 ESP:3des/sha1 5d7b22a 936/ unlim U root 500 172.18.16.69


### show security ipsec statistics index "131073"
ESP Statistics:
Encrypted bytes: 13633824
Decrypted bytes: 8426538
Encrypted packets: 100269
Decrypted packets: 100343
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

‎10-05-2015 06:47 AM

im getting more and more convinced its not a tunnel issue but a policy/routing sort of thing.

 

Does anybody has an idea how to validate this and how to fix this?

 

 

Highlighted
SRX Services Gateway

Re: SRX220 Site to Site VPN - Tunnel up, no traffic from Internal zone over the tunnel

[ Edited ]
‎10-05-2015 07:36 AM

Hey,

[Oct 5 07:49:16]VPNM received a valid ping pkt, dup=0, tunnel_id=131073
[Oct 5 07:49:26] iked_vpnm_timer_callback: VPN Monitor timer kicked in

VPN monitoring by default uses External ip addresses of each VPN peer as source and destination for ICMP packets .

Try to disablle the vpn monitor .

 

Another question : Does both sites running the same IP range ?

If so, then you need to implement NAT .

 


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]

Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Feedback