SRX

Hello everyone!! 

I have a SRX210 here in my office, and I just setup a cluster of SRX340's at a client network.  I setup a tunnel between them, using a working config example, and the IKE and IPSEC security associations come 'UP' and show good, but no traffic will go across the tunnel.  I cannot ping either side from either side.  I have the host-inbound with ping, and tracerout, but still nothing (and no routing across it).  I can look at the ST interfaces and see that (during ping operations) the outbound packets count is going up, but on my 210 at MY end, no session builds, and no traffic passes.  I have been pouring over the config all day, and am tired of looking at it.  It should just work.  Any ideas? help?  whatever you can see?  

Here is the config of both sides (in set statements):

My SRX 210:
set interfaces st0 unit 102 description "Tunnel to Client Network"
set security ike policy ike-pol-Client-Network mode main
set security ike policy ike-pol-Client-Network proposal-set standard
set security ike policy ike-pol-Client-Network pre-shared-key secret
set security ike gateway ike-gate-Client-Network ike-policy ike-pol-Client-Network
set security ike gateway ike-gate-Client-Network address 2.2.2.2
set security ike gateway ike-gate-Client-Network external-interface lo0
set security ipsec policy ipsec-pol-Client-Network proposal-set standard
set security ipsec vpn ipsec-vpn-Client-Network bind-interface st0.102
set security ipsec vpn ipsec-vpn-Client-Network ike gateway ike-gate-Client-Network
set security ipsec vpn ipsec-vpn-Client-Network ike ipsec-policy ipsec-pol-Client-Network
set security ipsec vpn ipsec-vpn-Client-Network establish-tunnels immediately
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match source-address My-LAN
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match destination-address any
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network match application any
set security policies from-zone Trust to-zone Client-Network policy Trust-Client-Network then permit
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match source-address any
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match destination-address My-LAN
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust match application any
set security policies from-zone Client-Network to-zone Trust policy Client-Network-Trust then permit
set security zones security-zone Client-Network host-inbound-traffic system-services ping
set security zones security-zone Client-Network host-inbound-traffic system-services traceroute
set security zones security-zone Client-Network interfaces st0.102

set interfaces st0 unit 102 description "Tunnel to Client"
set interfaces st0 unit 102 family inet address 10.1.1.6/30

Remote SRX340 Cluster:
set security ike policy ike-pol-My-Network mode main
set security ike policy ike-pol-My-Network proposal-set standard
set security ike policy ike-pol-My-Network pre-shared-key ascii-text secret
set security ike gateway ike-gate-My-Network ike-policy ike-pol-My-Network
set security ike gateway ike-gate-My-Network address 1.1.1.1
set security ike gateway ike-gate-My-Network external-interface reth0
set security ipsec policy ipsec-pol-My-Network proposal-set standard
set security ipsec vpn ipsec-vpn-My-Network bind-interface st0.10
set security ipsec vpn ipsec-vpn-My-Network ike gateway ike-gate-My-Network
set security ipsec vpn ipsec-vpn-My-Network ike ipsec-policy ipsec-pol-My-Network
set security ipsec vpn ipsec-vpn-My-Network establish-tunnels immediately
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match source-address any
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match destination-address My-LAN
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network match application any
set security policies from-zone Trust to-zone My-Network policy Trust-My-Network then permit
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match source-address My-LAN
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match destination-address any
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust match application any
set security policies from-zone My-Network to-zone Trust policy My-Network-Trust then permit
set security zones security-zone My-Network host-inbound-traffic system-services ping
set security zones security-zone My-Network host-inbound-traffic system-services traceroute
set security zones security-zone My-Network interfaces st0.10
set interfaces st0 unit 10 description "Tunnel to My Network"

set interfaces st0 unit 10 family inet address 10.1.1.5/30

The 210 is:

Model: srx210he2
JUNOS Software Release [12.1X46-D40.2]

The 340 cluster:

node0:
--------------------------------------------------------------------------
Hostname: MDF-SRX340-0
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

node1:
--------------------------------------------------------------------------
Hostname: MDF-SRX340-1
Model: srx340
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]

Any help would be greatly appreciated!

Thank you!

Sean Garland

Garland Tech, Inc.

Well it's fixed.  Added one line to the config, which may or may not have done anything.  Added the following to the ike gateway information, which wasn't necessary on any other connection:

set security ike gateway ike-gate-Client-Network local-address 1.1.1.1 (the actual address of MY side)

Not sure if because I'm using a loopback routed interface with a different actual direct connected subnet, that was the case or what.  But it's up now..  

Very strange issue that would be interesting to recreate in the lab to check on.

Thanks!