SRX

I have a VSRX located in AWS and an IPSEC tunnel that is connected to a VPN connection in a different AWS VPC.  The tunnel itself comes up, but I cannot ping the hosts on the other side of it, including the other IP in the interconnect subnet. 

The tunnel is up:

ec2-user> show security ipsec inactive-tunnels
  Total inactive tunnels: 0
  Total inactive tunnels with establish immediately: 0

ec2-user> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:            13860
  Encrypted packets:              0
  Decrypted packets:            231
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

The IP configuration on it is about as simple as can be:

ec2-user> show configuration interfaces st0.1
enable;
description VPN-06ab852-1;
family inet {
    mtu 1436;
    address 169.254.15.246/30;
}

As are the security zone and policy settings:

ec2-user> show configuration security zones
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/0.0;
        st0.1 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
}

ec2-user> show configuration security policies
from-zone trust to-zone trust {
    policy everything {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

But I cannot ping the far side of the tunnel, even when sourced from it:

ec2-user> ping 169.254.15.245 source 169.254.15.246
PING 169.254.15.245 (169.254.15.245): 56 data bytes
^C
--- 169.254.15.245 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss

I do see traffic coming out of the tunnel interface when I do a packet capture, but I never see anything coming back in:

16:30:28.794614 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 2, length 64
16:30:29.794818 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 3, length 64
16:30:30.795552 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 4, length 64
16:30:31.796620 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 5, length 64
16:30:32.796766 Out IP truncated-ip - 16 bytes missing! 169.254.15.246 > 169.254.15.245: ICMP echo request, id 11546, seq 6, length 64

Any suggestions are welcomed.

Hi,

show security ipsec statistics shows NO encrypted bytes. Can you check the details of your IPSEC-SA e.g. negotiated proxy-id etc. ALso, check the route table for the destination IP that you are trying to ping.

In AWS, we mostly use different routing-instance for the PFE/ge traffic than FXP. Can you try initiating a ping from that routing-instance.

Thanks,

Vikas

Thanks for getting back to me Vikas.  Good catch on the lack of encrypted bytes.

I'm pretty new to Juniper gear, but I have not set up any routing instances, so I think everything is in the same one:

ec2-user> show route instance
Instance             Type
         Primary RIB                                     Active/holddown/hidden
master               forwarding
         inet.0                                          9/0/0
         inet6.0                                         1/0/0

__juniper_private1__ forwarding
         __juniper_private1__.inet.0                     5/0/0

__juniper_private2__ forwarding
         __juniper_private2__.inet.0                     0/0/1

__juniper_private3__ forwarding

__juniper_private4__ forwarding

__master.anon__      forwarding

mgmt_junos           forwarding

Here are my SAs:

ec2-user> show security ipsec security-associations
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <67108865 ESP:aes-cbc-128/sha1 e7986607 3595/ unlim - root 4500 XXX.YYY.ZZZ.PPP
  >67108865 ESP:aes-cbc-128/sha1 3e2708fb 3595/ unlim - root 4500 XXX.YYY.ZZZ.PPP

The route is trying to go across the tunnel too.

ec2-user> show route
...
169.254.15.244/30  *[Direct/0] 00:00:24
                    > via st0.1
169.254.15.246/32  *[Local/0] 00:00:24
                      Local via st0.1

It turns out that the issue was with the tunnel flapping.  It is up and passing traffic now.  Here are how things look.

Sanitized IKE config:

proposal ike-prop-vpn-06ab852-1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;
}
policy ike-pol-vpn-06ab852-1 {
    mode main;
    proposals ike-prop-vpn-06ab852-1;
    pre-shared-key ascii-text "*redacted*"; ## SECRET-DATA
}
gateway gw-vpn-06ab852-1 {
    ike-policy ike-pol-vpn-06ab852-1;
    address XXX.YYY.ZZZ.PPP;
    dead-peer-detection;
    nat-keepalive 5;
    local-identity inet XXX.YYY.ZZZ.PPP;
    external-interface ge-0/0/0.0;
}

IPSEC config:

proposal ipsec-prop-vpn-06ab852-1 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy ipsec-pol-vpn-06ab852-1 {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals ipsec-prop-vpn-06ab852-1;
}
vpn VPN-06ab852-1 {
    bind-interface st0.1;
    df-bit copy;
    ike {
        gateway gw-vpn-06ab852-1;
        ipsec-policy ipsec-pol-vpn-06ab852-1;
    }
    establish-tunnels immediately;
}