ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Strange issue with route-based VPNs and proxy-id's after upgrade from 6.0 to 6.3

‎01-14-2011 05:06 AM

Upgraded an HA pair of SSG550's from 6.0 to 6.3.  All went smoothly, except all of the route-based VPN's were not able to reestablish after they timed out.  The message in the event log showed a mismtached proxy-id.  Nothing changed in the config and it looked correct.  However, when I looked at the VPN's using 'get vpn xxx' the proxy-id from the configuration was not displayed as expected.  The issue was resolved by unsetting and re-setting the proxy-id of all of the VPN's.  Not sure if anyone else has experienced similar.  I have a case open with JTAC to see if this is a known issue.  Details below:

 

SSG550-1(M)-> get conf | i xxx..proxy-id
set vpn "xxx" proxy-id local-ip 192.168.1.1/32 remote-ip 192.168.20.1/32 "ANY"
 
SSG550-1(M)-> get vpn xxx
...
single proxy id, check disabled, init done, total <1>
proxy id:
...
  Next-Hop Tunnel Binding table
  Flag Status Next-Hop(IP)    tunnel-id  VPN
        D      192.168.20.1  0x000000a8 xxx

SSG550-1(M)-> unset vpn xxx proxy-id

SSG550-1(M)-> set vpn "xxx" proxy-id local-ip 192.168.1.1/32 remote-ip 192.168.20.1/32 "ANY"

SSG550-1(M)-> get vpn xxx                                                   
...
single proxy id, check disabled, init done, total <1>
proxy id:
  local 192.168.1.1/255.255.255.255, remote 192.168.20.1/255.255.255.255, proto 0, port 0/0
...
  Next-Hop Tunnel Binding table
  Flag Status Next-Hop(IP)    tunnel-id  VPN
        U      192.168.20.1  0x000000a8 xxx

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
2 REPLIES 2
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Strange issue with route-based VPNs and proxy-id's after upgrade from 6.0 to 6.3

‎01-19-2011 04:31 AM

Hello, while I couldn't say for certain without investigating, I would say the behavior you have seen makes sense. That is to say, there were changes between the two versions of code with regards to how proxy-ID was handled. In particular, the ability to specify proxy-IDs rather than connect with the policy tuple information. In early versions for example a policy based VPN could only use the info from the policy to create the proxy ID. with the later version it can be set explicitly. This might not be the exact feature that is causing your effect but an example.

 

So what you have seen might well be as a result of an increase in functionality. Where this occurs the config migration would not be able to know the value to put into the config as it has never been typed.

 

All the best

 



....................................
Ian Nightingale
Systems Engineer
m +44 7795 128 048
inightingale@juniper.net
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Strange issue with route-based VPNs and proxy-id's after upgrade from 6.0 to 6.3

‎01-19-2011 06:18 AM

I think I understand your point about an enhancement between code versions potentially causing issues during the configuration migration/upgrade.  However, in this case these were proxy-id's manually set on route-based VPNs.  Also, unsetting and re-setting the exact same proxy-id command fixed the issue.  (i.e. The configuration is still the same as it was; I just had to unset a parameter and re-set it to the same value in order for it to be picked up in ScreenOS.)

 

My guess is that the feature enhancement that may have impacted this is the ability to set multiple proxy-id's on a single VPN.  (I haven't checked which code version introduced this, but I believe it is post-6.0.)

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Feedback