Juniper SRX Dynamic-VPN (Remote-access) – Part 2

So here is the second part of dynamic VPN, but this is post will mainly for verification/troubleshooting. If you are looking for configuring the dynamic-vpn (remote access VPN), please check the part 1 of this post.

Verification

To verify and the remote client successfully VPN’d in to the SRX, use the command show security ike security-associations brief. You may see more than one entry here if you have some other ike traffic such as site-to-site VPN and/or another session from another dynamic-vpn.

Example 1

karlo> show security ike security-associations brief    
Index    State   Initiator cookie   Responder cookie   Mode           Remote Address  
4542718   DOWN   6a685801e0f0a351   0000000000000000   Aggressive     1.1.1.1        
4542712   UP     39de8a6735c6e475   e1c4c10b2234ffc0   Aggressive     10.0.11.114

The 3rd line with an index# of 4542718 can be ignored. This is for my site-to-site VPN, and not relevant to this post. Anyways, that one we are interested in is the last line with in index# 4542712. As you can see in Example 1, the state is “UP” and it shows the IP address of the remote client.

Another useful command can be use is show security ike active-peer

Example 2

karlo> show security ike active-peer  
Remote Address                    Port    Peer IKE-ID                         XAUTH username                    Assigned IP
1.1.1.1                           500     Not-Available                    
10.0.11.114                       57717   your-dynamic-dns.dyn.net            karlo                             10.0.9.100                      

karlo>

If everything works in phase 1, and still no connection, verify the phase 2. You can use show security ipsec inactive-tunnels. As you can see in Example 3, It displays the total inactive tunnels and errors.

Example 3

karlo> show security ipsec inactive-tunnels          
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID      Port  Nego#  Fail#  Flag     Gateway         Tunnel Down Reason
131073  500   0      0      600a29   1.1.1.1         SA not initiated

karlo>

To see the total active tunnels, use the command show security ipsec security-associations

Example 4

karlo> show security ipsec security-associations  
Total active tunnels: 1
ID   Algorithm       SPI      Life:sec/kb  Mon lsys Port Gateway  
<268173325 ESP:aes-cbc-128/sha1 5d542e0 3066/ 499908 - root 56070 10.0.11.114    
>268173325 ESP:aes-cbc-128/sha1 204d6fa9 3066/ 499908 - root 56070 10.0.11.114    

karlo>

The last one would be show security ipsec statistics, which gives you the number of ESP errors

Example 5

 

karlo> show security ipsec statistics          
ESP Statistics:
  Encrypted bytes:           261680
  Decrypted bytes:           171253
  Encrypted packets:           1370
  Decrypted packets:           2364
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

karlo>

 Troubleshooting

Now, if none of the verification commands works, then this is the time to troubleshoot the issue. Maybe the remote user is able to connect to the VPN, but not passing traffic or cannot connect to the VPN at all. There are a lot of VPN issues, and I am no expert. I am just going to list that one that I have encountered.

Failed to receive HTTP response

If the users cannot VPN at all and getting an error stating “Failed to receive HTTP response” from your desktop client. Check your SRX version because according to Juniper:

This issue affects only branch SRX platforms and always occurs when Dynamic VPN is configured. This is a regression issue, it is introduced from 12.1X44-D55, 12.1X46-D40, 12.1X47-D30, 12.3X48-D20, and 15.1X49-D20.

These are the known working version 12.1X47-D35, 12.3X48-D25, 15.1X49-D30 according to Juniper’s problem report. Also, I have an older SRX100H and its code version is 12.1X46-D35, and dynamic-vpn is working with this code.

VPN connection is up. but no traffic is going through

Ensure the remote client receives an IP address from the SRX. If the remote client didn’t receive an IP address from the SRX, then check your configuration related to DHCP. YOu can use show configuration system services dhcp-local-server. Ensure that you have the interface for the dynamic vpn in a group.

Also, make sure that the dhcp is in the config under the security-zone interface level.

Example 6

karlo> show configuration security zones security-zone DYN-VPN-ZONE interfaces vlan.9
host-inbound-traffic {
   system-services {
       dhcp;              
   }
}

Lastly, the security policy should be in place. The from-zone should be the untrust and the to-zone should be the destination zone. And the permit statement should be sent to the ipsec tunnel.

Example 7

karlo> show configuration security policies from-zone untrust to-zone trust
policy DYN-untrust_TO_trust {
   description "USED FOR ALLOWING TRAFFIC FROM DYNAMIC VPN TO PASS THROUGH";
   match {
       source-address any;
       destination-address any;
       application any;
   }
   then {
       permit {
           tunnel {
               ipsec-vpn IPSEC-DYN-VPN;
           }
       }
   }
}

You can also check if there is a traffic hitting the SRX. Use the command show security flow session

Example 8

karlo> show security flow session
Session ID: 12683, Policy name: DYN-untrust_TO_trust/10, Timeout: 1800, Valid
In: 10.0.9.103/56357 --> 10.0.3.1/22;tcp, If: fe-0/0/0.0, Pkts: 502, Bytes: 38710
Out: 10.0.3.1/22 --> 10.0.9.103/56357;tcp, If: .local..0, Pkts: 288, Bytes: 36773

In addition, a traceoption under the security flow can be used. This is going to be useful if the remote user received an IP address and have them generate some traffic to a specific destination.

[edit]
karlo# show | compare
[edit security]
+   flow {
+      traceoptions {
+           file TSHOOT;
+           flag basic-datapath;
+           packet-filter REMOTE_TO_INTERNAL {
+               source-prefix 10.0.9.114/32;
+               destination-prefix 10.0.3.10/32;
+           }
+           packet-filter INTERNAL_TO_REMOTE {
+               source-prefix 10.0.3.10/32;
+               destination-prefix 10.0.9.114/32;
+           }
+       }
+   }

[edit]
karlo#

After you commit the traceoption, have the remote user generate some traffic. Then you can view the results of the traceoption via show log <filename>.

show log TSHOOT

 

Hope you will find this post helpful

Cheers!

Donations are always appreciated:

BTC: 14wVPFBWNAKmfNsgUrPpw8EytkXFLjxYoU
ETH: 0x8528793dF77a57186f5B15dA6DC1eaA3c5e92c4a
LTC: LMpW2rGYnYdUwvnHA4huB6TGcPEEc1JzXw
NAV: NM7c5u8Vius5UJWtCdTdQxgKT9F3PpTXbK
Any ERC-20 (tokens/coins): 0x9f337F9e0796eD3af5ccF0332674fD1eaDfA03BC

Thanks

 

Advertisements

About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks BTC: 14wVPFBWNAKmfNsgUrPpw8EytkXFLjxYoU ETH: 0x8528793dF77a57186f5B15dA6DC1eaA3c5e92c4a LTC : LMpW2rGYnYdUwvnHA4huB6TGcPEEc1JzXw
This entry was posted in Misc.. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s