SRX Services Gateway
SRX Services Gateway

Site to Site VPN Error

‎12-20-2018 09:19 PM

Hi,

i had a site to site vpn connection between 2 sites until yesterday. Suddenly today i stopped working. In fw logs there seem to be no error. On the peer side, the only error is :

 

"srx240-02a kmd[33482]: IKE Phase-1 Failure: Invalid cookie recvd [spi=^E)?^NM-^@??0, src_ip=<none>, dst_ip=50.208.33.177]"

 

However, i could not find a solution related to that error message. While everything was working, today even the IKE phase seems to be down ?

 

I feel desperate, anybody had this issue or any ideas appreciated 

 

Thanks

11 REPLIES 11
SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 12:35 AM

Hi,

 

What is the peer device ? Do you see any SA ( phase 1/2)  on any of the device, try clearing if any  ?

 

What is the VPN config on both the devices ? And output of the IKE trceoptions ? should help.

 

Thanks,

Vikas

SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 03:16 AM

You can walk through these steps to check the phase 1 and phase 2 connections on the vpn.  Post output from the steps where you have trouble interpreting what to do as the next phase.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 12:48 PM

Hi,

thanks for the replies

I am stuck at the 4th step, because it says to  analyze the IKE phase 1 messages but the only message i can find is the above one which I can not anything related with it .

 

 

SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 12:52 PM

The remote( 64.13.163.35)  and the local device ( 50.208.33.177) are both srx240 .. I tried to clear but did not work.. I am also adding the config and trace output.

 

One question, how can I be sure that my static IP( 50.208.33.177 which is assigned to external interface)  still functional ?

 

Thanks

Attachments

SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 04:48 PM

Were you able to create the special log file to capture the ike messages specifically as outlined here.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10097

 

This saves the related log messages to the kmd-logs file for review.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 06:28 PM
Hi,

In hq config, please try configuring remote-identity.

gateway hq
ike-policy hq;
address
local-identity hostname srx240-02.prod.comp.com;

Thanks,
Vikas
SRX Services Gateway

Re: Site to Site VPN Error

‎12-21-2018 09:02 PM

Can you share below outputs from SRX.

 

From Local:
show interfaces terse ge-0/0/0.0
show route 64.13.163.35

From remote:
show interfaces terse reth0.1298
show route 50.208.33.177

Questions:
1. Any particular reason for specifying the local/remote identities separately with Main mode? If no can you remove that from both sides?
2. There is no st0 configured on the remote side, can you add that ?

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Site to Site VPN Error

‎12-22-2018 11:14 AM

@  , yes the only error i could capture is from kmd-logs

 

@

 

>>show interfaces terse ge-0/0/0.0  

Interface               Admin Link Proto    Local                 Remote

ge-0/0/0.0              up    up   inet     50.208.33.177/29

 

 

>>show route 64.13.163.35

 

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

 

0.0.0.0/0          *[Static/5] 18:25:44

                    > to 50.208.33.182 via ge-0/0/0.0

 

 

REMOTE :

 

>> show interfaces terse reth0.1298

Interface               Admin Link Proto    Local                 Remote

reth0.1298              up    up   inet     64.13.163.35/26

                                            64.13.163.36/26

                                            64.13.163.37/26

                                            64.13.163.38/26

                                            64.13.163.39/26

                                            64.13.163.40/26

                                            64.13.163.41/26

                                            64.13.163.42/26

                                            64.13.163.43/26

                                            64.13.163.44/26

>> show route 50.208.33.177

 

inet.0: 88 destinations, 129 routes (88 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

 

0.0.0.0/0          *[Static/5] 1w4d 16:11:29

                    > to 64.13.163.1 via reth0.1298

SRX Services Gateway
Solution
Accepted by topic author vodexguy
‎12-26-2018 01:13 PM

Re: Site to Site VPN Error

‎12-22-2018 08:05 PM

The config looks good with reference to the routes/interfaces you have shared. I belive adding the st0 on remote side and removing the local-id/remote-id confg should fix the issue.

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: Site to Site VPN Error

‎12-26-2018 01:13 PM

@Suraj, thanks that worked fine but i didnt understand why ? it was already working with this current config for a few months

 

Thank you very much, i really appreciate it

Highlighted
SRX Services Gateway

Re: Site to Site VPN Error

‎12-31-2018 08:35 PM

AFAIK, route based VPN cannot work without st0 binding. I belive some one would have made these changes recently.

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too