[j-nsp] Trouble with just one IPSec tunnel among many

Jonathan Call lordsith49 at hotmail.com
Wed Nov 18 11:19:47 EST 2015

I found this in the traceoptions I collected from SRX A: http://pastebin.com/Kk0gSzaD

So the tunnel is there, but its not there. That explains the lack of ESP packets on that side. 


From: Stefan Fouant <sfouant at shortestpathfirst.net>
Sent: Tuesday, November 17, 2015 8:08 PM
To: Jonathan Call
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Trouble with just one IPSec tunnel among many

Have you tried debugging under [edit security flow traceoptions] yet? There is a wealth of information in there using the flag 'basic-datapath' that may help you.

Stefan Fouant
m (703) 625-6243

On Nov 17, 2015, at 9:42 PM, Jonathan Call <lordsith49 at hotmail.com> wrote:

I have an SRX250 (SRX A) and an SRX240h2  (SRX B) connected via a PSK IPSec tunnel. They both have multiple IPSec tunnels configured to other SRX devices on our network. Recently the tunnel between the two stopped passing traffic. Both IKE and IPSec  security association were UP on both sides. (show security ike security-association  and show security ipsec security-association) If I pinged from SRX A to something on SRX B I would see the echo request come into SRX B and the echo reply go out. On SRX A  I would only see the outbound packet flow with no response. When I would ping from SRX B to SRX A, SRX A acted as if nothing was happening at all. I ran a traceoptions to capture the ICMP traffic from SRX A to SRX B. SRX A looked like it was sending the traffic  out the tunnel interface but had no reply content. The tracefile on SRX B was completely empty.

After confirming there was nothing abnormal in the routing tables on both of them I tried clearing the IKE and IPSec sessions to rebuild the VPN. Both Phase 1 IKE and Phase 2 IKE came back up but now ping fails in both directions. When I look at the 'show  security ipsec statistics index' information on each side SRX B shows some ESP packets being encrypted and decrypted but not very many. The SRX A ESP statistics are all zeros.

Restarting ipsec key management seems a bit extreme since it will take out all of the other IPSec sessions. Is there some other troubleshooting I can try before I resort to that? 

Thank you,


juniper-nsp mailing list juniper-nsp at puck.nether.net

More information about the juniper-nsp mailing list