[j-nsp] Trouble with just one IPSec tunnel among many
Will O'Brien - NOAA Affiliate
will.obrien at noaa.gov
Wed Nov 18 15:51:13 EST 2015
Silly questions:
You have dedicated a st0.x on both sides to each tunnel and not re-used
them for others, right?
You placed each st0 into an appropriate security zone?
Those security zones have intra-zone policies to other interfaces OR have
policies to other appropriate zones?
You didn't tie them to loopbacks right? If so, the tunnel will come up and
never pass traffic. (I'm not sure if a 250 is considered 'high end code' or
not. The 1400s used to be the cut-off there.
Are you using local and remote id settings?
etc.
On Wed, Nov 18, 2015 at 10:20 AM, Jonathan Call <lordsith49 at hotmail.com>
wrote:
> A google of this error message directed me to a blog: (
> http://thomaspollet.blogspot.com/) that discusses how SA can exist in the
> management plane but not in the data plane. When I ran request pfe execute
> command "show usp ipsec sa" target fwdd my st0.142 interface is not listed.
>
> I've already tried deleting and committing the IPSec settings so I may be
> forced to do a commit full or a reboot. Clearing the ike and ipsec
> security-associations gets rid of the settings but the VPN never recovers
> until remove and commit the SRX B VPN settings again.
>
> Jonathan
>
> ________________________________________
> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of
> Jonathan Call <lordsith49 at hotmail.com>
> Sent: Wednesday, November 18, 2015 9:19 AM
> To: Stefan Fouant
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Trouble with just one IPSec tunnel among many
>
> I found this in the traceoptions I collected from SRX A:
> http://pastebin.com/Kk0gSzaD
>
> So the tunnel is there, but its not there. That explains the lack of ESP
> packets on that side.
>
> Jonathan
>
> From: Stefan Fouant <sfouant at shortestpathfirst.net>
> Sent: Tuesday, November 17, 2015 8:08 PM
> To: Jonathan Call
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Trouble with just one IPSec tunnel among many
>
>
> Have you tried debugging under [edit security flow traceoptions] yet?
> There is a wealth of information in there using the flag 'basic-datapath'
> that may help you.
>
> Stefan Fouant
> JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
> m (703) 625-6243
>
> On Nov 17, 2015, at 9:42 PM, Jonathan Call <lordsith49 at hotmail.com> wrote:
>
>
> I have an SRX250 (SRX A) and an SRX240h2 (SRX B) connected via a PSK
> IPSec tunnel. They both have multiple IPSec tunnels configured to other SRX
> devices on our network. Recently the tunnel between the two stopped passing
> traffic. Both IKE and IPSec security association were UP on both sides.
> (show security ike security-association and show security ipsec
> security-association) If I pinged from SRX A to something on SRX B I would
> see the echo request come into SRX B and the echo reply go out. On SRX A I
> would only see the outbound packet flow with no response. When I would ping
> from SRX B to SRX A, SRX A acted as if nothing was happening at all. I ran
> a traceoptions to capture the ICMP traffic from SRX A to SRX B. SRX A
> looked like it was sending the traffic out the tunnel interface but had no
> reply content. The tracefile on SRX B was completely empty.
>
> After confirming there was nothing abnormal in the routing tables on both
> of them I tried clearing the IKE and IPSec sessions to rebuild the VPN.
> Both Phase 1 IKE and Phase 2 IKE came back up but now ping fails in both
> directions. When I look at the 'show security ipsec statistics index'
> information on each side SRX B shows some ESP packets being encrypted and
> decrypted but not very many. The SRX A ESP statistics are all zeros.
>
> Restarting ipsec key management seems a bit extreme since it will take out
> all of the other IPSec sessions. Is there some other troubleshooting I can
> try before I resort to that?
>
> Thank you,
>
> Jonathan
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list