ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎11-07-2014 03:12 PM

Hi,

 

I am trying to understand this error message I am getting on my SSG5 firmware version 6.3.0r17.0 (Firewall+VPN).

 

IKE V2 104.45.132.80: Received a notification message for 16389 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP.

 

I have gone through the Juniper Log Manual and this provides no help.

I checked all my interfaces and NAT is not enabled on any interface. Route is enabled.

 

Turned on debugging and found no errors.

 

I am trying to setup a route-based VPN between the Juniper and the Azure Cloud.

 

Thanks,

Shelina

 

 

6 REPLIES 6
ScreenOS Firewalls (NOT SRX)

Re: IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎11-10-2014 09:16 AM

That indicates there is something between the firewall and Azure that is performing NAT.  It's only a notification and not an error.  In order to try to find out why the VPN is failing, you would need to look at the responder side (Azure).

ScreenOS Firewalls (NOT SRX)

Re: IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎11-11-2014 07:01 AM

Thank you.

 

Unfortunately, the Azure portal is limited in what I can see and do to troubleshoot the issue.

 

This helps - that something is performing a NAT, which is the reason for the failure - Azure requires a route, not a NAT.

 

The Juniper has a VPN directly to the Azure cloud and wondering if it's my untrust interface that is doing a NAT?

 

ethernet0/6 has a public IP address in the untrust zone.  But I have also created a tunel.1 interface (unnumbered) that is also in the untrust zone.  Both interfaces do belong to the trust virtual router.  Could this setup be what is causing the NAT?

 

Shelina

ScreenOS Firewalls (NOT SRX)

Re: IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎11-12-2014 09:19 AM

I turned on debugging to see what is happening with the IKE negotations and saw this:

 

Seems as if there is a duplicate packet on the Azure side - is there a settting on the Juniper I can configure to change the timing on the packets that are sent?

 

## 2014-11-12 12:02:12 : IKESA LT timer armed, after <28740> seconds
## 2014-11-12 12:02:12 : install_ike_sa_key set ike sa crypto active.
## 2014-11-12 12:02:12 : cleanup seqno is 0
## 2014-11-12 12:02:12 :   Delete IKEv2 conn entry...
## 2014-11-12 12:02:13 : IKE<104.45.x.x> ike packet, len 644, action 0
## 2014-11-12 12:02:13 : IKE<104.45.x.x> Catcher: received 616 bytes from socket.
## 2014-11-12 12:02:13 : IKE<104.45.x.x> ****** Recv packet if <ethernet0/6> of vsys <Root> ******
## 2014-11-12 12:02:13 : IKE<104.45.x.x> Catcher: get 616 bytes. src port 500
## 2014-11-12 12:02:13 : IKE<0.0.0.0        > found existing ike sa node 2abc050
## 2014-11-12 12:02:13 : IKE<104.45.x.x> Search IKE_SA table, found 2abc050.
## 2014-11-12 12:02:13 : Duplicated pkt checking ...
## 2014-11-12 12:02:13 : len in wind 616, hash in wind 2122461879, len 616, hash 2122461879
## 2014-11-12 12:02:13 : IKE<104.45.x.x> resend ikev2 packet
## 2014-11-12 12:02:13 : The sent ip is 104.45.x.x, port is 500
## 2014-11-12 12:02:13 : Can't send out pkt
## 2014-11-12 12:02:13 : Received duplicated pkt at Respnder
## 2014-11-12 12:02:14 : IKEv2: Aborted negotiations for IKE_SA(0x02a4b5a0/00010002) because the time limit has elapsed.
## 2014-11-12 12:02:14 : terminate sa v2
## 2014-11-12 12:02:14 : IKE<104.45.x.x> ike packet, len 644, action 0
## 2014-11-12 12:02:14 : IKE<104.45.x.x> Catcher: received 616 bytes from socket.
## 2014-11-12 12:02:14 : IKE<104.45.x.x> ****** Recv packet if <ethernet0/6> of vsys <Root> ******
## 2014-11-12 12:02:14 : IKE<104.45.x.x> Catcher: get 616 bytes. src port 500
## 2014-11-12 12:02:14 : IKE<0.0.0.0        > found existing ike sa node 2abc050
## 2014-11-12 12:02:14 : IKE<104.45.x.x> Search IKE_SA table, found 2abc050.
## 2014-11-12 12:02:14 : Duplicated pkt checking ...
## 2014-11-12 12:02:14 : len in wind 616, hash in wind 2122461879, len 616, hash 2122461879
## 2014-11-12 12:02:14 : IKE<104.45.x.x> resend ikev2 packet
## 2014-11-12 12:02:14 : The sent ip is 104.45.x.x, port is 500
## 2014-11-12 12:02:14 : Can't send out pkt
## 2014-11-12 12:02:14 : Received duplicated pkt at Respnder
## 2014-11-12 12:02:16 : IKEv2: 44c5130 azure-gateway reset DPD, no active p2 SA.

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Shelina
‎08-26-2015 01:27 AM

Re: IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎11-12-2014 10:14 AM

Looks like the message is not making it to Azure.  We see that the NetScreen is aborting due to time elapsed, but Azure resends the packet.  You would need to look on the Azure side to verify if they are receiving the packet.

ScreenOS Firewalls (NOT SRX)

Re: IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎11-01-2016 01:08 PM

Were you ever able to get this working?  I'm having the exact same errors on the Juniper SSG5 side connecting to Azure route based VPN and so far no help from Microsoft or Juniper.

ScreenOS Firewalls (NOT SRX)

Re: IKE V2 NOTIFY_MSG_NAT_DETECTION_DESTINATION_IP

‎05-04-2019 03:26 PM

Did anyone get this working ? I am trying to setup Azure Route VPN with SSG5 ( with 6.1 software however - I realise that only 6.2 is verified with Azure) 

 

set sa-filter <Azure VPN IP>

debug ike detail

get db stream

 

## 2019-05-03 21:59:34 : IKEv2: 258c2b0 AZURE-GW reset DPD, no active p2 SA.
## 2019-05-03 21:59:45 : IKEv2: 258c2b0 AZURE-GW reset DPD, no active p2 SA.
## 2019-05-03 21:59:55 : IKEv2: 258c2b0 AZURE-GW reset DPD, no active p2 SA.

 

set ike p1-proposal "AZURE-P1_Proposal" preshare group2 esp aes256 sha-1 hour 8
set ike p2-proposal "AZURE-P2_Proposal" group2 esp aes256 sha-1 hour 3

set ike gateway "AZURE-GW" dpd-liveness interval 10
set ike respond-bad-spi 1
set ike gateway ikev2 "AZURE-GW" auth-method self preshare peer preshare
set ike ikev2 ike-sa-soft-lifetime 60

set vpn "AZURE-VPN" gateway "AZURE-GW" no-replay tunnel idletime 0 sec-level compatible
set vpn "AZURE-VPN" id 0x1 bind interface tunnel.1