SRX Services Gateway
Highlighted
SRX Services Gateway

session

[ Edited ]
‎07-19-2019 07:02 AM

Hi,

Why a number of outputs of >sh sec flo session have only one direction -in not both In and Out...Others have both directions In and Out.... ?

For instance,

Session ID: 76, Policy name: N/A, Timeout: N/A, Valid
In: 159.100.210.173/0 --> 133.115.240.110/0;esp, If: xe-1/0/1.0, Pkts: 0, Bytes: 0

5 REPLIES 5
SRX Services Gateway

Re: session

[ Edited ]
‎07-19-2019 09:35 AM

Arix,

 

This is a normal and expected behavior for ESP sessions. I was able to confirm that this session is used to match inbound ESP packets.

 

Hope this helps.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: session

‎07-19-2019 09:55 PM

 

SRX Services Gateway

Re: session

[ Edited ]
‎07-19-2019 10:43 PM

Hello,

 


@Arix wrote:


 

It should yes, but this unidirectional flow is likely pre-programmed in anticipation of ESP packets getting in but then ESP packets never actually hit this box hence pkt count is 0. I would imagine a scenario where this flow could be programmed when IKE Phase 2 starts - specifically, when this box is responder and receives a packet with remote initiator' SA - but Ph 2 never actually completes, hence this flow stays unidirectional for a while.

Please enable IKE debug for peer 159.100.210.173 to get more information and then examine the logs to find why Ph2 does not complete, could be a proposal mismatch or something.

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: session

[ Edited ]
a month ago

Arix,

 

Yes I know it is strange but this is the way that it is always displayed in Junos and doesnt has to do anything with problems on the tunnel. If you check a stable VPN that it is passing traffic normally, you will still see this session in the same way. I believe it is there for some internal purposes.

 

If you want to check traffic/sessions going over the tunnel, you have to use a regular "show security flow session source-prefix [address] destination-prefix [address]" command. Also if you want to check if packets are getting encrypted/decrypted you can use a "show security ipsec statistics index [tunnel_index]".

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: session

a month ago
Arix,

Like someone here said, it is preprogrammed, after phase 2 begins.
Do you see multiple entries/tuples for this context?

Why don't you look for two more combinations here, one for UDP port 500 traffic and second, for internal traffic that is meant to hit the VPN?

Cheers
Pooja