SRX Services Gateway
SRX Services Gateway

SRX345 VPN issues with Cisco SA520W

‎10-16-2018 07:14 AM

Good day,

 

We have recently replaced a FortiGate firewall with a new Juniper SRX345. Networking-wise everything is working fine, however we are getting issues with e VPN connection to a Cisco SA520W. The VPN was working fine on the FortiGate, and no changes were made at the Cisco end. The configuration is attached. 

 

We see the tunnels coming up, however we cannot reach the remote subnet. We also notice there are multiple IKE tunnels, where there should only be one. The tunnels sometimes keep adding up. Output attached.

 

We have also attached the logs. Any help/input would be appreciated. Thanks.

 

Attachments

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX345 VPN issues with Cisco SA520W

‎10-16-2018 10:09 AM

Hi ea-aua,

 

Can you hardcode the source and destination IP addresses that will be used by VPN monitoring:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10119

 

Make sure they are within the subnets that are allowed to transmit traffic over the VPN: 192.168.1.0/24 and 192.168.7.0/24. You can use something like this:

 

set security ipsec vpn ike-vpn-BON vpn-monitor destination-ip 192.168.7.254 source-interface irb.2 optimized

I am assuming that 192.168.7.254 is an IP address on an interfaces of the ASA. If the problem is still happening, try to disable VPN-monitoring on the SRX for testing purposes. 

 

I will also highly suggest to configure you VPN using traffic-selectors on the SRX side and match them with the ASA ACLs:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-traffic-selectors-in-rou...

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SRX345 VPN issues with Cisco SA520W

‎10-16-2018 12:56 PM

Hi epaniagua,

 

I have added the following config: 

set security ipsec vpn ike-vpn-BON vpn-monitor optimized
set security ipsec vpn ike-vpn-BON vpn-monitor source-interface irb.2
set security ipsec vpn ike-vpn-BON vpn-monitor destination-ip 192.168.7.254

 

But traffic is still not passing. Although after following the KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=METADATA, everything seems to check out, even flow sessions:

 

setarnoc@WEMA_DLI99046_Router> show security flow session source-prefix 192.168.1.0/24 destination-prefix 192.168.7.0/24
Session ID: 65074, Policy name: BON_VPN_OUT/15, Timeout: 22, Valid
In: 192.168.1.66/50398 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 486,
Out: 192.168.7.10/389 --> 192.168.1.66/50398;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 68168, Policy name: BON_VPN_OUT/15, Timeout: 38, Valid
In: 192.168.1.66/64423 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 400,
Out: 192.168.7.10/389 --> 192.168.1.66/64423;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 75386, Policy name: BON_VPN_OUT/15, Timeout: 22, Valid
In: 192.168.1.66/50397 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 400,
Out: 192.168.7.10/389 --> 192.168.1.66/50397;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 76158, Policy name: BON_VPN_OUT/15, Timeout: 2, Valid
In: 192.168.1.13/56520 --> 192.168.7.171/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.171/5060 --> 192.168.1.13/56520;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 76465, Policy name: BON_VPN_OUT/15, Timeout: 8, Valid
In: 192.168.1.13/56522 --> 192.168.7.172/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.172/5060 --> 192.168.1.13/56522;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 76676, Policy name: BON_VPN_OUT/15, Timeout: 14, Valid
In: 192.168.1.13/56525 --> 192.168.7.173/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.173/5060 --> 192.168.1.13/56525;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

 

One thing I noticed is that I don't see any Out Pkts/Bytes in the flow sessions. Normal?

 

Afterwards I tried using traffic-selectors, however it would not commit while VPN Monitoring is enabled, so I deleted monitoring and used traffic-selectors instead. I also removed the static route from the routing-options.

 

However I still get same results. I do see the route added to the routing-table:

setarnoc@WEMA_DLI99046_Router> show route 192.168.7.254

inet.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.7.0/24 *[Static/5] 00:01:30
> via st0.0

 

I'm beginning to think the issue might be with the ASA at the other end? 

Highlighted
SRX Services Gateway

Re: SRX345 VPN issues with Cisco SA520W

‎10-16-2018 02:46 PM

Hi,

 

Its good that we are seeing the sessions created, however the SRX is reporting that no reply traffic is being received:

 

In: 192.168.1.13/56525 --> 192.168.7.173/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.173/5060 --> 192.168.1.13/56525;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

I will definitely check the ASA at this point.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback