Hi

I am testing SSL forward proxy over vSRX junos 15.1, I followed the below guide steps;

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ssl-proxy-workflow-configuring.html

through creating self signed certificate and using it as root-ca under the SSL profile, then installed this certificate to client browser.

created a policy matching the https traffic and applied the ssl profile in it, and then configured the application-tracking over the zone so the ssl profile will be fetched.

>request security pki generate-key-pair certificate-id srx-cert-id-self-signed size 2048
>request security pki local-certificate generate-self-signed certificate-id srx-cert-id-self-signed domain-name domain-name subject subject email email-id add-ca-constraint

set services ssl proxy profile ssl-proxy-profile trusted-ca all
set services ssl proxy profile ssl-proxy-profile root-ca srx-cert-id-self-signed

set security policies from-zone trust to-zone untrust policy ssl-forward-proxy match source-address any
set security policies from-zone trust to-zone untrust policy ssl-forward-proxy match destination-address any
set security policies from-zone trust to-zone untrust policy ssl-forward-proxy match application junos-https
set security policies from-zone trust to-zone untrust policy ssl-forward-proxy then permit application-services ssl-proxy profile-name ssl-proxy-profile

set security zones security-zone trust application-tracking

but the client cant open the https web pages.

I tried to use the "ignore-server-auth-failure" then client was able to open https pages but with warning that the used CA certificate is invalid.

Has anyone got the forward proxy work? 

Hi,

I setup a vpn tunnel between juniper SRX-240 and FlexGW-StrongWAN machine. The tunnel becomes up for cetain time then the connection drops while rekeying.

I tried to debug the ike logs i found the following error:

[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Soft life timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Using existing ike SA 6325486 for gateway GTW1
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] IPSec rekey initiated for sa_cfg vpn1 with inbound spi 0x955ebd3
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] ikev2_packet_allocate: Allocated packet dabc00 from freelist
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [dabc00/1015000] Stored packet into window 1225f00
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] ssh_ikev2_ipsec_send: Started IPsec SA creation y.y.y.y;500
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] iked_pm_ipsec_spi_allocate: local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Added (spi=0xa915c676, protocol=0) entry to the spi table
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Parsing notification payload for local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] iked_dh_get_group: DH Group 2
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] iked_dh_generate_sync: Requested DH group 2
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] iked_dh_generate_sync: Generated DH keys using hardware for DH group 2
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] juniper_dlp_diffie_hellman_generate_async: DH Generate Secs [0] USecs [7195]
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] juniper_dlp_diffie_hellman_generate_async: Generated DH using hardware
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Parsing notification payload for local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Construction NHTB payload for local:x.x.x.x, remote:y.y.y.y IKEv2 P1 SA index 6325486 sa-cfg vpn1
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg vpn1
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dabc00/1015000] Sending packet using VR id 0
[May 24 08:37:57][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] Retry rekey timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] Rekey in progress (flag 0x11e). Not initiating rekey for spi 0x955ebd3
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dabc00/1015000] Sending packet using VR id 0
[May 24 08:38:07][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] Retry rekey timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] Rekey in progress (flag 0x11e). Not initiating rekey for spi 0x955ebd3
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dabc00/1015000] Sending packet using VR id 0
[May 24 08:38:17][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:38:20][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:20][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:20][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:20][x.x.x.x <-> y.y.y.y] Using existing ike SA 6325486 for gateway GTW1
[May 24 08:38:20][x.x.x.x <-> y.y.y.y] Already another negotiation is in progress for sa_cfg vpn1
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] Retry rekey timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] Rekey in progress (flag 0x11e). Not initiating rekey for spi 0x955ebd3
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dabc00/1015000] Sending packet using VR id 0
[May 24 08:38:27][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:38:30][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:30][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:30][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:30][x.x.x.x <-> y.y.y.y] Using existing ike SA 6325486 for gateway GTW1
[May 24 08:38:30][x.x.x.x <-> y.y.y.y] Already another negotiation is in progress for sa_cfg vpn1
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] Retry rekey timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] Rekey in progress (flag 0x11e). Not initiating rekey for spi 0x955ebd3
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dabc00/1015000] Sending packet using VR id 0
[May 24 08:38:37][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:38:40][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:40][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:40][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:40][x.x.x.x <-> y.y.y.y] Using existing ike SA 6325486 for gateway GTW1
[May 24 08:38:40][x.x.x.x <-> y.y.y.y] Already another negotiation is in progress for sa_cfg vpn1
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] Retry rekey timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] Rekey in progress (flag 0x11e). Not initiating rekey for spi 0x955ebd3
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dabc00/1015000] Sending packet using VR id 0
[May 24 08:38:47][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:38:50][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:50][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:50][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:50][x.x.x.x <-> y.y.y.y] Using existing ike SA 6325486 for gateway GTW1
[May 24 08:38:50][x.x.x.x <-> y.y.y.y] Already another negotiation is in progress for sa_cfg vpn1
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Retry rekey timer expired for inbound vpn1 with spi 0x955ebd3
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Rekey in progress (flag 0x11e). Not initiating rekey for spi 0x955ebd3
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Starting rekey retry timer for spi 0x955ebd3 in 10 seconds
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] ikev2_xmit_error: [dabc00/1015000] Transmit error
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] IPSec negotiation failed for SA-CFG vpn1 for local:x.x.x.x, remote:y.y.y.y IKEv2. status: Timed out
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] P2 ed info: flags 0x82, P2 error: Error ok
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] IPSec SA done callback. ed 1161028. status: Timed out
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] IPSec SA done callback with sa-cfg NULL in p2_ed. status: Timed out
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] ikev2_packet_done: [dabc00/1015000] Not destroyed; running to end state and terminating there.
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] ikev2_packet_done: [dafc00/1015000] Destroyed already. Thread completed. Freeing now.
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] IKE SA delete called for p1 sa 6325486 (ref cnt 1) local:x.x.x.x, remote:y.y.y.y, IKEv2
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] P1 SA 6325486 stop timer. timer duration 28800, reason 2.
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Freeing all P2 SAs for IKEv2 p1 SA 6325486
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] kmd_sa_cfg_children_sa_free: processing SA vpn1
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Freeing the SA spi=0x955ebd3, proto=ESP
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted (spi=0x955ebd3, protocol=ESP dst=x.x.x.x) entry from the peer hash table. Reason: P1 SA deleted
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] NHTB entry not found. Not deleting NHTB entry
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] In iked_ipsec_sa_pair_delete Deleting GENCFG msg with key; Tunnel = 131079;SPI-In = 0x955ebd3
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted SA pair for tunnel = 131079 with SPI-In = 0x955ebd3 to kernel
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleting phase 2 blob for key tunnel id 20007, spi 955ebd3
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted the blob requested
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_is_anchoring_instance sa_dist_id=0, self_dist_id=255
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_deactivate_bind_interface: No more NHTB entries are active for st0.11. Bringing down the interface
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] kmd_update_tunnel_interface: update ifl st0.11 status DOWN for sa_cfg vpn1
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted (spi=0x955ebd3, protocol=ESP) entry from the inbound sa spi hash table
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Freeing the SA spi=0xc1d5a864, proto=ESP
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Out bound SA. Not sending notification
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted (spi=0xc1d5a864, protocol=ESP dst=y.y.y.y) entry from the peer hash table. Reason: P1 SA deleted
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_peer_remove_sa_cfg_entry: remove sa_cfg tunnel_id entry 131079 from peer entry 0xec5100
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted the blob requested
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] Deleted the blob requested
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_pm_p1_sa_destroy: p1 sa 6325486 (ref cnt 0), waiting_for_del 0x0
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_peer_remove_p1sa_entry: Remove p1 sa 6325486 from peer entry 0xec5100
[May 24 08:38:57][x.x.x.x <-> y.y.y.y] iked_peer_entry_patricia_deleteeer entry 0xec5100 deleted for local x.x.x.x:500 and remote y.y.y.y:500
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Triggering negotiation for vpn1 config block
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: non-natt case for gateway GTW1, lookup peer entry from local_port=0, remote_port=500.
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_create_peer_entry: Created peer entry 0xdddc00 for local x.x.x.x:500 remote y.y.y.y:500
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_fetch_or_create_peer_entry: Create peer entry 0xdddc00 for local x.x.x.x:500 remote y.y.y.y:500. gw GTW1, VR id 0
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_pm_trigger_callback: FOUND non-natt peer entry for gateway GTW1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Initiating new P1 SA for gateway GTW1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] P1 SA 6325537 start timer. timer duration 30, reason 1.
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_peer_insert_p1sa_entry: Insert p1 sa 6325537 in peer entry 0xdddc00
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_allocate: Allocated packet dab400 from freelist
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [dab400/e09000] Stored packet into window 122ba00
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ssh_ikev2_ipsec_send: Started IPsec SA creation y.y.y.y;500
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] IKE SA fill called for negotiation of local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_dh_get_group: DH Group 2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_dh_generate_sync: Requested DH group 2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_dh_generate_sync: Generated DH keys using hardware for DH group 2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] juniper_dlp_diffie_hellman_generate_async: DH Generate Secs [0] USecs [4946]
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] juniper_dlp_diffie_hellman_generate_async: Generated DH using hardware
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Parsing notification payload for local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [dab400/e09000] Sending packet using VR id 0
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_st_forward: [da3400/e09000] R: IKE SA REFCNT: 3
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Received Unauthenticated notification payload Multiple auth supported from local:x.x.x.x remote:y.y.y.y IKEv2 for P1 SA 6325537
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_decode_packet: [da3400/e09000] Updating responder IKE SPI to IKE SA e09000 I 8c53590a 6ec75217 R ab725c1d 19f0e76d
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_decode_packet: [da3400/e09000] Received packet: HDR, SA, KE, Nonce, N(MULTIPLE_AUTH_SUPPORTED)
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [da3400/e09000] STOP-RETRANSMIT: Response to request dab400 with m-id 0
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [da3400/e09000] Stored packet into window 122ca60
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_allocate: Allocated packet da0800 from freelist
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [da0800/e09000] Stored packet into window 122ba00
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_dh_get_group: DH Group 2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_dh_compute_synch: Requested DH group 2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] juniper_dlp_diffie_hellman_final_async: DH Compute Secs [0] USecs [4732]
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] juniper_dlp_diffie_hellman_final_async: Computed DH using hardware
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_pm_ipsec_spi_allocate: local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Added (spi=0x3d40bddc, protocol=0) entry to the spi table
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Parsing notification payload for local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Ignoring notification of type 16404
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Parsing notification payload for local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Ignoring notification of type 16404
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_pm_ike_spd_notify_request: Sending Initial contact
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Sending IKE window size notification for IKE SA of size 1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Construction NHTB payload for local:x.x.x.x, remote:y.y.y.y IKEv2 P1 SA index 6325537 sa-cfg vpn1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg vpn1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_send_packet: [da0800/e09000] Sending packet using VR id 0
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_st_send: Registering timeout at 10000 (10.0)
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_st_forward: [da6000/e09000] R: IKE SA REFCNT: 3
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_packet_done: [da3400/0] Destroyed already. Thread completed. Freeing now.
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [da6000/e09000] STOP-RETRANSMIT: Response to request da0800 with m-id 1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_udp_window_update: [da6000/e09000] Stored packet into window 122ca60
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Received Unauthenticated notification payload unknown from local:x.x.x.x remote:y.y.y.y IKEv2 for P1 SA 6325537
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ikev2_decode_packet: [da6000/e09000] Received packet: HDR, IDr, AUTH, SA, TSi, TSr, N(RESERVED)
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_pm_ipsec_sa_install: local:x.x.x.x, remote:y.y.y.y IKEv2 for SA-CFG vpn1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Parsing notification payload for local:x.x.x.x, remote:y.y.y.y IKEv2
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Ignoring notification of type 16403
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Ignoring notification of type 16404
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Setting lifetime 3600 and lifesize 0 for IPSec SA
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Creating a SA spi=0x3d40bddc, proto=ESP pair_index = 1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Added (spi=0x3d40bddc, protocol=ESP dst=x.x.x.x) entry to the peer hash table
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_peer_insert_sa_cfg_entry: insert sa_cfg tunnel_id entry 131079 into peer entry 0xdddc00
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Creating a SA spi=0xcbd4ba12, proto=ESP pair_index = 1
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Added (spi=0xcbd4ba12, protocol=ESP dst=y.y.y.y) entry to the peer hash table
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] iked_nhtb_update_on_sa_create: Interface st0.11 is P2P for sa_cfg vpn1. Thus ignoring NHTB notification message

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Hardlife timer started for inbound vpn1 with 3600 seconds/0 kilobytes
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] Softlife timer started for inbound vpn1 with 2981 seconds/0 kilobytes
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] In iked_fill_sa_bundle

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] vpn1 : VPN Monitor Interval=0(0) Optimized=0(0)

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] SA bundle remote gateway: IP y.y.y.y chosen
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] SA bundle local gateway: IP x.x.x.x chosen
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] In iked_fill_ipsec_ipc_sa_pair

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] In iked_fill_ipc_sa_keys

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] In iked_fill_ipc_sa_keys

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] In iked_fill_ipc_sa_keys

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] In iked_fill_ipc_sa_keys

[May 24 08:39:00][x.x.x.x <-> y.y.y.y] ----------------Voyager ipsec SA BUNDLE-------------------
[May 24 08:39:00][x.x.x.x <-> y.y.y.y] SA pair update request for:
Tunnel index: 131079

Do you have any clue regarding this error ?

How can I resolve the problem and make the vpn tunnel stable.

Regards,

TF

Does SRX act as proxy for tcp connection by default or this is have to be configured ?

Hi All, 

Can anyone help out with experiences on SRX240 IPSec VPN tunnels? Specifically the 'actual' maximum number supported? 

I posed a question to JTAC to clarify the number (1000 according to the datasheet), and was advised that the total IPSec VPN concurrency was tested without any other feature enabled, and that therefore it may do more, and that the number is theoretical. Thats a bit of a fluffy answer. 

We have a customer who currently has 944 on their 240 cluster, and we're obviously wondering just how much further the 240 will go (there are some more tunnels to go on in the near-future). 

So, in everyone's experience - 

1. Is the 1000 tunnel number a hard limit or theoretical?

2. If it's theorectical, does anyone have experience past 1000 tunnels? if so, how many?

Cheers

Andy

PS: Let's just ignore how long it takes to commit that config, shall we?

Hello,

Please advise me if this is off topic and if it should be in another section.

I am looking to implement SSLVPN with a Pulse Connect Secure appliance.  The termination will be a SRX3xx.

Can someone point me to where I can find guides to configure the srx for sslvpn.

Thanks

Hi All,

I am trying to set up Route-based IPSec VPN between SRX345 and Cisco RVI 130 but not work with the following error: IKE negotiation failed with error: IKE gateway configuration lookup failed during negotiation. 

Can anyone advise on this?

Enclosed screenshots from RVI130 and below is SRX345 config:

security {
ike {
proposal ikephase1proposal_VPN1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ikephase1policy_VPN1 {
mode aggressive;
proposals ikephase1proposal_VPN1;
pre-shared-key ascii-text "Password"; ## SECRET-DATA
}
gateway gw-VPN1 {
ike-policy ikephase1policy_VPN1;
address 10.10.10.10;
external-interface reth1.0;
}
}
ipsec {
proposal ipsecphase2proposal_VPN1 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy ipsecphase2policy_VPN1 {
perfect-forward-secrecy {
keys group2;
}
proposals ipsecphase2proposal_VPN1;
}
vpn ike-vpn-VPN1 {
bind-interface st8.0;
ike {
gateway gw-VPN1;
ipsec-policy ipsecphase2policy_VPN1;
}
}
}
flow {
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}

Hello.

I have SRX240H with multiple IPsec tunnels and SRX210H with multiple tunnels too.

both boxes has JUNOS Software Release [12.1X46-D60.4] and only one IPsec tunnel at one direction 240->210 is slow - about 1.05mbps (iperf testing), while WAN is 30mbps at 210 and 100mbps at 240. reverse direction 210->240 is ok - 29.8mbps.

config for all tunnels is the same.

tcp-mss is 1350 both side.

and there is no any shaping.

need advice how to get rid of it.

thanks!

Hi team

I have four SRX 550 devices at two data center.

below is the topology.

SRX1 DC1 connected to SRX2 DC2 via 1G link.

SRX3 DC1 connected to SRX4 DC2 via 1G link.

i need to know is there any chance i can do ethernet aggregate for these 2x1G link and make a single 2G link with these four devices, so if any one device gets fail still i can use 1G BW.

Note : currently there is no connection between SRX1 to SRX 3 and SRX2 to SRX4

SRX1 (DC1)----------------------1G-------------------SRX2 (DC2)

SRX3 (DC1)------------------------1G-------------------SRX4 (DC2)

I'm trying to setup a client to LAN based VPN to a web server behind SRX100. Tunnel is not coming up and I'm getting following error when collecting traceoptions for the tunnels - 

[May 24 14:33:53]ikev2_packet_allocate: Allocated packet e0d800 from freelist
[May 24 14:33:53]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:53]ike_get_sa: Start, SA = { b76149a8 bb4f7250 - 00000000 00000000 } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:53]ike_sa_allocate: Start, SA = { b76149a8 bb4f7250 - ba1ee5c3 23a0bb27 }
[May 24 14:33:53]ike_init_isakmp_sa: Start, remote = 10.128.137.2:500, initiator = 0
[May 24 14:33:53]ike_decode_packet: Start
[May 24 14:33:53]ike_decode_packet: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f} / 00000000, nego = -1
[May 24 14:33:53]ike_decode_payload_sa: Start
[May 24 14:33:53]ike_decode_payload_t: Start, # trans = 3
[May 24 14:33:53]ike_st_i_vid: VID[0..20] = 01528bbb c0069612 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..20] = 1e2b5169 05991c7d ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = fb1de3cd f341b7ea ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = 26244d38 eddb61b3 ...
[May 24 14:33:53]ike_st_i_vid: VID[0..16] = e3a5966a 76379fe7 ...
[May 24 14:33:53]ike_st_i_sa_proposal: Start
[May 24 14:33:53]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE_GW for remote dynamic peer, sa_cfg[IPSEC_VPN]
[May 24 14:33:53]ike_isakmp_sa_reply: Start
[May 24 14:33:53]ike_state_restart_packet: Start, restart packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:33:53]ike_st_i_sa_proposal: Start
[May 24 14:33:53]ike_st_i_cr: Start
[May 24 14:33:53]ike_st_i_cert: Start
[May 24 14:33:53]ike_st_i_private: Start
[May 24 14:33:53]ike_st_o_sa_values: Start
[May 24 14:33:53]ike_policy_reply_isakmp_vendor_ids: Start
[May 24 14:33:53]ike_st_o_private: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_encode_packet: Start, SA = { 0xb76149a8 bb4f7250 - 647ce0e5 7e90125f } / 00000000, nego = -1
[May 24 14:33:53]ike_send_packet: Start, send SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:53]ikev2_packet_allocate: Allocated packet e0dc00 from freelist
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:53]ike_get_sa: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ike_decode_packet: Start
[May 24 14:33:53]ike_decode_packet: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f} / 00000000, nego = -1
[May 24 14:33:53]ike_st_i_nonce: Start, nonce[0..48] = d34cca05 729d990b ...
[May 24 14:33:53]ike_st_i_ke: Ke[0..128] = a3b1ac42 37aeee0e ...
[May 24 14:33:53]ike_st_i_cr: Start
[May 24 14:33:53]ike_st_i_cert: Start
[May 24 14:33:53]ike_st_i_private: Start
[May 24 14:33:53]ike_st_o_ke: Start
[May 24 14:33:53]ike_st_o_nonce: Start
[May 24 14:33:53]ike_policy_reply_isakmp_nonce_data_len: Start
[May 24 14:33:53]IKED-PKID-IPC Failed to delete cert chain patricia node
[May 24 14:33:53]ikev2_fb_get_cas_kid_cb: CA lookup failed, error 'Crypto operation failed'
[May 24 14:33:53]ike_policy_reply_get_cas: Start
[May 24 14:33:53]ike_state_restart_packet: Start, restart packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:33:53]ike_st_o_private: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_policy_reply_private_payload_out: Start
[May 24 14:33:53]ike_st_o_calc_skeyid: Calculating skeyid
[May 24 14:33:53]ike_encode_packet: Start, SA = { 0xb76149a8 bb4f7250 - 647ce0e5 7e90125f } / 00000000, nego = -1
[May 24 14:33:53]ike_send_packet: Start, send SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:53]ikev2_packet_allocate: Allocated packet e20000 from freelist
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:53]ike_get_sa: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f } / e8a5c6d8, remote = 10.128.137.2:500
[May 24 14:33:53]ike_sa_find: Found SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:33:53]ike_alloc_negotiation: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}
[May 24 14:33:53]ike_decode_packet: Start
[May 24 14:33:53]ike_decode_packet: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f} / e8a5c6d8, nego = 0
[May 24 14:33:53]<none>:500 (Responder) <-> 10.128.137.2:500 { b76149a8 bb4f7250 - 647ce0e5 7e90125f [0] / 0xe8a5c6d8 } Info; Trying to decrypt, but no decryption context initialized
[May 24 14:33:53]<none>:500 (Responder) <-> 10.128.137.2:500 { b76149a8 bb4f7250 - 647ce0e5 7e90125f [0] / 0xe8a5c6d8 } Info; Error = No SA established (8194)
[May 24 14:33:53]ike_send_notify: Notification to informational exchange ignored
[May 24 14:33:53]ike_delete_negotiation: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = 0
[May 24 14:33:53]ike_free_negotiation_info: Start, nego = 0
[May 24 14:33:53]ike_free_negotiation: Start, nego = 0
[May 24 14:33:54]ikev2_packet_allocate: Allocated packet e20400 from freelist
[May 24 14:33:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:54]ike_get_sa: Start, SA = { 4a5ec625 c426a0c8 - 00000000 00000000 } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:54]ike_sa_allocate: Start, SA = { 4a5ec625 c426a0c8 - e5e208da 0210ad6b }
[May 24 14:33:54]ike_init_isakmp_sa: Start, remote = 10.128.137.2:500, initiator = 0
[May 24 14:33:54]ike_decode_packet: Start
[May 24 14:33:54]ike_decode_packet: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553} / 00000000, nego = -1
[May 24 14:33:54]ike_decode_payload_sa: Start
[May 24 14:33:54]ike_decode_payload_t: Start, # trans = 3
[May 24 14:33:54]ike_st_i_vid: VID[0..20] = 01528bbb c0069612 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..20] = 1e2b5169 05991c7d ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 4048b7d5 6ebce885 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = fb1de3cd f341b7ea ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = 26244d38 eddb61b3 ...
[May 24 14:33:54]ike_st_i_vid: VID[0..16] = e3a5966a 76379fe7 ...
[May 24 14:33:54]ike_st_i_sa_proposal: Start
[May 24 14:33:54]iked_pm_dynamic_gw_local_addr_based_lookup: Found gateway matching local addr IKE_GW for remote dynamic peer, sa_cfg[IPSEC_VPN]
[May 24 14:33:54]ike_isakmp_sa_reply: Start
[May 24 14:33:54]ike_state_restart_packet: Start, restart packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:33:54]ike_st_i_sa_proposal: Start
[May 24 14:33:54]ike_st_i_cr: Start
[May 24 14:33:54]ike_st_i_cert: Start
[May 24 14:33:54]ike_st_i_private: Start
[May 24 14:33:54]ike_st_o_sa_values: Start
[May 24 14:33:54]ike_policy_reply_isakmp_vendor_ids: Start
[May 24 14:33:54]ike_st_o_private: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_encode_packet: Start, SA = { 0x4a5ec625 c426a0c8 - ffd18544 6524a553 } / 00000000, nego = -1
[May 24 14:33:54]ike_send_packet: Start, send SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:54]ikev2_packet_allocate: Allocated packet e20800 from freelist
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:54]ike_get_sa: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 } / 00000000, remote = 10.128.137.2:500
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ike_decode_packet: Start
[May 24 14:33:54]ike_decode_packet: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553} / 00000000, nego = -1
[May 24 14:33:54]ike_st_i_nonce: Start, nonce[0..48] = 52daa00e c8bc3ef0 ...
[May 24 14:33:54]ike_st_i_ke: Ke[0..128] = b418102a e5a211d8 ...
[May 24 14:33:54]ike_st_i_cr: Start
[May 24 14:33:54]ike_st_i_cert: Start
[May 24 14:33:54]ike_st_i_private: Start
[May 24 14:33:54]ike_st_o_ke: Start
[May 24 14:33:54]ike_st_o_nonce: Start
[May 24 14:33:54]ike_policy_reply_isakmp_nonce_data_len: Start
[May 24 14:33:54]IKED-PKID-IPC Failed to delete cert chain patricia node
[May 24 14:33:54]ikev2_fb_get_cas_kid_cb: CA lookup failed, error 'Crypto operation failed'
[May 24 14:33:54]ike_policy_reply_get_cas: Start
[May 24 14:33:54]ike_state_restart_packet: Start, restart packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:33:54]ike_st_o_private: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_policy_reply_private_payload_out: Start
[May 24 14:33:54]ike_st_o_calc_skeyid: Calculating skeyid
[May 24 14:33:54]ike_encode_packet: Start, SA = { 0x4a5ec625 c426a0c8 - ffd18544 6524a553 } / 00000000, nego = -1
[May 24 14:33:54]ike_send_packet: Start, send SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500, routing table id = 0
[May 24 14:33:54]ikev2_packet_allocate: Allocated packet e20c00 from freelist
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[May 24 14:33:54]ike_get_sa: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 } / cc53a520, remote = 10.128.137.2:500
[May 24 14:33:54]ike_sa_find: Found SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:33:54]ike_alloc_negotiation: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}
[May 24 14:33:54]ike_decode_packet: Start
[May 24 14:33:54]ike_decode_packet: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553} / cc53a520, nego = 0
[May 24 14:33:54]<none>:500 (Responder) <-> 10.128.137.2:500 { 4a5ec625 c426a0c8 - ffd18544 6524a553 [0] / 0xcc53a520 } Info; Trying to decrypt, but no decryption context initialized
[May 24 14:33:54]<none>:500 (Responder) <-> 10.128.137.2:500 { 4a5ec625 c426a0c8 - ffd18544 6524a553 [0] / 0xcc53a520 } Info; Error = No SA established (8194)
[May 24 14:33:54]ike_send_notify: Notification to informational exchange ignored
[May 24 14:33:54]ike_delete_negotiation: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = 0
[May 24 14:33:54]ike_free_negotiation_info: Start, nego = 0
[May 24 14:33:54]ike_free_negotiation: Start, nego = 0
[May 24 14:34:03]ike_retransmit_callback: Start, retransmit SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:03]ike_send_packet: Start, retransmit previous packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:04]ike_retransmit_callback: Start, retransmit SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:04]ike_send_packet: Start, retransmit previous packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:13]ike_retransmit_callback: Start, retransmit SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:13]ike_send_packet: Start, retransmit previous packet SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:14]ike_retransmit_callback: Start, retransmit SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:14]ike_send_packet: Start, retransmit previous packet SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1, dst = 10.128.137.2:500 routing table id = 0
[May 24 14:34:23]P1 SA 4019557 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x300.
[May 24 14:34:23]iked_pm_ike_sa_delete_done_cb: For p1 sa index 4019557, ref cnt 2, status: Error ok
[May 24 14:34:23]ike_remove_callback: Start, delete SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:23]10.128.63.195:500 (Responder) <-> 10.128.137.2:500 { b76149a8 bb4f7250 - 647ce0e5 7e90125f [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[May 24 14:34:23]ike_delete_negotiation: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f}, nego = -1
[May 24 14:34:23]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 24 14:34:23]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 24 14:34:23]ike_sa_delete: Start, SA = { b76149a8 bb4f7250 - 647ce0e5 7e90125f }
[May 24 14:34:23]ike_free_negotiation_isakmp: Start, nego = -1
[May 24 14:34:23]ike_free_negotiation: Start, nego = -1
[May 24 14:34:23]IKE SA delete called for p1 sa 4019557 (ref cnt 2) local:10.128.63.195, remote:10.128.137.2, IKEv1
[May 24 14:34:23]P1 SA 4019557 reference count is not zero (1). Delaying deletion of SA
[May 24 14:34:23]ike_free_sa: Start
[May 24 14:34:23]iked_pm_ike_sa_done: UNUSABLE p1_sa 4019557
[May 24 14:34:23] IKEv1 Error : Timeout
[May 24 14:34:23]iked_pm_p1_sa_destroy: p1 sa 4019557 (ref cnt 0), waiting_for_del 0xa332c0
[May 24 14:34:24]P1 SA 4019558 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x300.
[May 24 14:34:24]iked_pm_ike_sa_delete_done_cb: For p1 sa index 4019558, ref cnt 2, status: Error ok
[May 24 14:34:24]ike_remove_callback: Start, delete SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:24]10.128.63.195:500 (Responder) <-> 10.128.137.2:500 { 4a5ec625 c426a0c8 - ffd18544 6524a553 [-1] / 0x00000000 } IP; Connection timed out or error, calling callback
[May 24 14:34:24]ike_delete_negotiation: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553}, nego = -1
[May 24 14:34:24]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[May 24 14:34:24]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[May 24 14:34:24]ike_sa_delete: Start, SA = { 4a5ec625 c426a0c8 - ffd18544 6524a553 }
[May 24 14:34:24]ike_free_negotiation_isakmp: Start, nego = -1
[May 24 14:34:24]ike_free_negotiation: Start, nego = -1
[May 24 14:34:24]IKE SA delete called for p1 sa 4019558 (ref cnt 2) local:10.128.63.195, remote:10.128.137.2, IKEv1
[May 24 14:34:24]P1 SA 4019558 reference count is not zero (1). Delaying deletion of SA
[May 24 14:34:24]ike_free_sa: Start
[May 24 14:34:24]iked_pm_ike_sa_done: UNUSABLE p1_sa 4019558
[May 24 14:34:24] IKEv1 Error : Timeout
[May 24 14:34:24]iked_pm_p1_sa_destroy: p1 sa 4019558 (ref cnt 0), waiting_for_del 0xdf9f60

We are not using Juniper certs, rather a certificate we signed. I have similar cert on my desktops signed by same CA. I also configured NTP to make sure that SRX and my WS point to same NTP server. Below is my VPN config. Security policies are wide open (basically any/any allowed). My WS is Windows10. 

Please suggest if something is wrong with my config

set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group2
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
set security ike proposal IKE_PROP lifetime-seconds 3600
set security ike policy IKE_POL mode main
set security ike policy IKE_POL proposals IKE_PROP
set security ike policy IKE_POL certificate local-certificate srx001
set security ike policy IKE_POL certificate peer-certificate-type x509-signature
set security ike gateway IKE_GW ike-policy IKE_POL
set security ike gateway IKE_GW dynamic distinguished-name wildcard C=CA
set security ike gateway IKE_GW local-identity inet 10.128.63.195
set security ike gateway IKE_GW external-interface fe-0/0/0.0
set security ike gateway IKE_GW version v1-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 3600
set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group2
set security ipsec policy IPSEC_POL proposals IPSEC_PROP
set security ipsec vpn IPSEC_VPN bind-interface st0.0
set security ipsec vpn IPSEC_VPN ike gateway IKE_GW
set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL

Certificate details on SRX:

root@FOCFAS01> show security pki local-certificate
Certificate identifier: srx001
Issued to: focfas01, Issued by: C = CA, O = ABC Inc., CN = ABC Issuing CA SHA256
Validity:
Not before: 05-12-2017 21:38 UTC
Not after: 05-11-2022 21:38 UTC
Public key algorithm: rsaEncryption(2048 bits)

Why source-NAT evaluation occur after route look-up ??? 

Hi, 

This simple script to simplify the function of downloading the IDP signatures for SRX offline, you'll need to define your device model / os version / buildn number , and this script will let you know the latest available version and download it. 

Here's the link for the script & it'll be updated with other functions, I'm also attaching the script if you just need this download part. 

https://github.com/mmento/idpofflineupdate/blob/master/idpofflineupdate.py

You can run it on unix based machines or mac os, for win it will download the files but it won't unzip them. 

hope this will help  

BR,
Mahdy

Hi,

I have 2 SRX340 connected via 2 switches (EX220).

I configured trunbks between SRX340 to switches and between the switches.

All the security policy are allowed all protocols on both SRX.

However, both routers are masters, and I see that one of them only sending vrrp advertisements, but don't recieve any, the other one sends and recieve. 

What could be an issue?

SRX1:

irb {
unit 10 {
description Interface_for_Voice_and_Equip_VLAN;
family inet {
address 192.168.1.156/27 {
vrrp-group 10 {
virtual-address 192.168.1.158;
priority 110;
preempt;
accept-data;
}
}
}

ge-0/0/8 {
unit 0 {
description EX22_1;
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Voice_and_Equip Test NMS ];
}
}
}
}

-------------------------------------------------------------------------------------------------------------------

SRX_1> show vrrp interface irb.10
Interface: irb.10, Interface index :84, Groups: 1, Active :1
Interface VRRP PDU statistics
Advertisement sent :189735
Advertisement received :189775
Packets received :189775
No group match received :0
Interface VRRP PDU error statistics
Invalid IPAH next type received :0
Invalid VRRP TTL value received :0
Invalid VRRP version received :0
Invalid VRRP PDU type received :0
Invalid VRRP authentication type received:0
Invalid VRRP IP count received :0
Invalid VRRP checksum received :0

Physical interface: irb, Unit: 10, Address: 192.168.1.156/27
Index: 84, SNMP ifIndex: 549, VRRP-Traps: disabled, VRRP-Version: 2
Interface state: up, Group: 10, State: master, VRRP Mode: Active
Priority: 110, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.1.158
Advertisement Timer: 0.336s, Master router: 192.168.1.156
Virtual router uptime: 1d 22:11, Master router uptime: 1d 22:11
Virtual Mac: 00:00:5e:00:01:0a
Tracking: disabled
Group VRRP PDU statistics
Advertisement sent :189735
Advertisement received :189775

-------------------------------------------------------------------------------------------------------------------

SRX2

irb {
unit 10 {
description VLAN_Interface_LAN;
family inet {
address 192.168.1.157/27 {
vrrp-group 10 {
virtual-address 192.168.1.158;
priority 100;
accept-data;
}
}
}

ge-0/0/8 {
unit 0 {
description EX22_2;
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Voice_and_Equip Test NMS ];
}
}
}
}

EX2200

ge-0/0/7 {
unit 0 {
description TRUNK_TO_MNL_EX2220_2;
family ethernet-switching {
port-mode trunk;
vlan {
members [ Voice_and_Equip Test NMS ];
}
}
}
}

ge-0/0/23 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members Voice_and_Equip
}
}
}
}

-------------------------------------------------------------------------------------------------------------------

SRX_2> show vrrp interface irb.10
Interface: irb.10, Interface index :71, Groups: 1, Active :1
Interface VRRP PDU statistics
Advertisement sent :212398
Advertisement received :0
Packets received :0
No group match received :0
Interface VRRP PDU error statistics
Invalid IPAH next type received :0
Invalid VRRP TTL value received :0
Invalid VRRP version received :0
Invalid VRRP PDU type received :0
Invalid VRRP authentication type received:0
Invalid VRRP IP count received :0
Invalid VRRP checksum received :0

Physical interface: irb, Unit: 10, Address: 192.168.1.157/27
Index: 71, SNMP ifIndex: 548, VRRP-Traps: disabled, VRRP-Version: 2
Interface state: up, Group: 10, State: master, VRRP Mode: Active
Priority: 100, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.1.158
Advertisement Timer: 0.506s, Master router: 192.168.1.157
Virtual router uptime: 2d 03:41, Master router uptime: 2d 03:41
Virtual Mac: 00:00:5e:00:01:0a
Tracking: disabled
Group VRRP PDU statistics
Advertisement sent :212398
Advertisement received :0

--------------------------------------------------------------------------------------

zones {
security-zone LAN {
description Voice_and_Equipment_Zone;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.100;
irb.10 {
host-inbound-traffic {
protocols {
vrrp;
all;
}
}
}
}

from-zone LAN to-zone LAN {
policy LAN_to_LAN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}

Hi Experts,

On SRX1400 i am getting this alram "chassisd[70018]: CHASSISD_FRU_OFFLINE_NOTICE: Taking LCC 0 offline: Restarting unresponsive board"  continously.

What could be the reason for this alarm ?

Best Regards,

Waqas

1- If there is 2 virtual routers inside a single LSYS, and a session path through these 2 routing instances , do i expect 2 sessions ?

2- if i have 2 LSYSs , each LSYS has 2 routing instance and a traffic path through the 2 LSYSs , do i expect 2 sessions  ???

Hi all,

I am not able to get logging on the file which has been created:

This is the conf for syslog

xxx@xxx# run show configuration system syslog
archive size 100k files 3;
user * {
    any emergency;
}
file messages {
    any critical;
    authorization info;
}
file interactive-commands {
    interactive-commands error;
}
file policy_session {
    any any;
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
}

And this is on one of the other policys, so why am i not seeing any logs from the UNTRUST zone, im 100% sure that policy 299 is being hit with some traffic? 

    from-zone UNTRUST to-zone TRUST {
        policy 200 {
         xxxxx
            then {
                permit;
            }
        }
        policy 299 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                deny;
                log {
                    session-init;
                }
            }
        }

Hi everyone,
I need help in  Anti-virus Kaspersky. We planning to buy a license for Anti-virus and before we wanted to test it.
But after configuring and installing temp license , i don't see any statistics.
Please check my configurations.

dmin@SRX> show security utm anti-virus status        
 UTM anti-virus status:
 
    Anti-virus key expire date: 2017-06-15 05:00:00
    Update server: http://update.juniper-updates.net/AV/SRX240/
           Interval: 60 minutes
           Pattern update status: in process
           Last result: downloading list file
    Anti-virus signature version: 05/28/2017 20:31 GMT, virus records: 468088
    Anti-virus signature compiler version: N/A
    Scan engine type: kaspersky-lab-engine
    Scan engine information: last action result: No error(0x00000000)

Has anyone implemented NAT on the SCTP layer and if so can you perhaps share your configuration.

Does DNS-Doctoring support IPv6 ?

Dear all,

We are testing SRX5600 performance with UDP packets which are used mostly in gaming application. The testing scenario is as the below:

We have simply two subnets and two group of three servers which are packet generators and receivers. We tried to send UDP packet at several rate from right side to left side and monitored SPU load, flow session and cp-session to examinate what is performance limits.

Startup configuration of the SRX is quite simple:

SRX5600> show chassis hardware models      

Hardware inventory:
Item             Version  Part number  Serial number     FRU model number
Midplane         REV 02   760-063936   ACRF5922          SRX5600X-CHAS
FPM Board        REV 01   760-058098   CAFZ0086         
PEM 0            Rev 04   740-034701   QCS15260904D      SRX5600-PWR-2520-AC-S
PEM 1            Rev 04   740-034701   QCS15290901B      SRX5600-PWR-2520-AC-S
PEM 2            Rev 04   740-034701   QCS1541090JW      SRX5600-PWR-2520-AC-S
PEM 3            Rev 04   740-034701   QCS1541090LF      SRX5600-PWR-2520-AC-S
Routing Engine 0 REV 02   740-056658   9013104720        SRX5K-RE-1800X4
CB 0             REV 03   750-062257   CAEW9777          SRX5K-SCB3
FPC 4            REV 24   750-061489   CAHV6708          SRX5K-SPC-4-15-320
  CPU                     BUILTIN      BUILTIN          
FPC 5            REV 08   750-061262   CAFE1321          SRX5K-MPC
  MIC 0          REV 07   750-049488   CAFF0743          SRX-MIC-10XG-SFPP
  MIC 1          REV 10   750-049488   CAHD8073          SRX-MIC-10XG-SFPP
Fan Tray                                                 SRX5600-HC-FAN

SRX5600> show interfaces terse xe-5/0/0 

Interface               Admin Link Proto    Local                 Remote
xe-5/0/0                up    up
xe-5/0/0.2025           up    up   inet     61.28.240.1/24  
                                   multiservice
xe-5/0/0.2026           up    up   inet     61.28.241.1/24  
                                   multiservice
xe-5/0/0.32767          up    up   multiservice

SRX5600> show route 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

61.28.240.0/24     *[Direct/0] 5d 02:08:09
                    > via xe-5/0/0.2025
61.28.240.1/32     *[Local/0] 5d 02:08:12
                      Local via xe-5/0/0.2025
61.28.241.0/24     *[Direct/0] 5d 02:08:09> via xe-5/0/0.2026
61.28.241.1/32     *[Local/0] 5d 02:08:12
                      Local via xe-5/0/0.2026

SRX5600> show security zones       

Security zone: VLAN2025
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    xe-5/0/0.2025

Security zone: VLAN2026
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    xe-5/0/0.2026

Security zone: junos-host
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 0
  Interfaces:

SRX5600> show security policies 

Default policy: deny-all
From zone: VLAN2026, To zone: VLAN2025
  Policy: T1, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: 61.28.241.0/24
    Destination addresses: 61.28.240.0/24
    Applications: any
    Action: permit

SRX5600> show security screen status                      

    Screen status:
      Screen trap interval : 2 second(s)

SRX5600> show security log              

Security logging is disabled

TEST 1:

We tried to send a single UDP stream from 61.28.241.14:1210 to 61.28.240.10:2121, destination a real server existing in the left side of our scenario. We sent 10.000.000 packet in total at rate of 500K pps. Since there was a single session, that stream was proceeded by a single SPU, the SPU utilization was 30-40%. It seem to be fine!

SRX5600> show security monitoring
                  Flow session   Flow session     CP session     CP session 
FPC PIC CPU Mem        current        maximum        current        maximum
  4   0   0  11              0              0              0              0
  4   1   0   5              0        6291456              0        7549747
  4   2  38   5              8        6291456             10        7549747
  4   3   0   5              1        6291456              2        7549747
Total Sessions:              9       18874368             12       22649241

SRX5600> show security flow statistics
  Flow Statistics of FPC4 PIC1:
    Current sessions: 0
    Packets forwarded: 8
    Packets dropped: 4
    Fragment packets: 0

  Flow Statistics of FPC4 PIC2:
    Current sessions: 2
    Packets forwarded: 10793528
    Packets dropped: 16
    Fragment packets: 0

  Flow Statistics of FPC4 PIC3:
    Current sessions: 0
    Packets forwarded: 34
    Packets dropped: 17
    Fragment packets: 0

  Flow Statistics Summary:
    System total valid sessions: 2
    Packets forwarded: 10793570
    Packets dropped: 37
    Fragment packets: 0

SRX5600> show security flow cp-session
DCP Flow Sessions on FPC4 PIC0:
Total sessions: 0

DCP Flow Sessions on FPC4 PIC1:
Total sessions: 0

DCP Flow Sessions on FPC4 PIC2:

Session ID: 180862127, SPU: 18, Valid
  In: 61.28.241.14/1210 --> 61.28.240.10/2121;udp, 
  Out: 61.28.240.10/2121 --> 61.28.241.14/1210;udp, 

Session ID: 180908976, SPU: 18, Invalidated
  In: 61.28.241.14/1210 --> 61.28.240.10/2121;udp, 
  Out: 61.28.240.10/2121 --> 61.28.241.14/1210;udp, 

Session ID: 181263604, SPU: 18, Invalidated
  In: 61.28.240.10/44812 --> 172.16.97.10/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 181343296, SPU: 18, Invalidated
  In: 61.28.241.14/1210 --> 61.28.240.10/2121;udp, 
  Out: 61.28.240.10/2121 --> 61.28.241.14/1210;udp, 

Session ID: 181686285, SPU: 18, Invalidated
  In: 61.28.241.14/1210 --> 61.28.240.10/2121;udp, 
  Out: 61.28.240.10/2121 --> 61.28.241.14/1210;udp, 

Session ID: 181989157, SPU: 18, Invalidated
  In: 61.28.241.14/1210 --> 61.28.240.10/2121;udp, 
  Out: 61.28.240.10/2121 --> 61.28.241.14/1210;udp, 

Session ID: 182846046, SPU: 18, Valid
  In: 61.28.240.7/46408 --> 61.28.240.1/22;tcp, 
  Out: 61.28.240.1/22 --> 61.28.240.7/46408;tcp, 
Total sessions: 7

DCP Flow Sessions on FPC4 PIC3:

Session ID: 191449139, SPU: 19, Invalidated
  In: 61.28.241.5/50684 --> 172.16.97.10/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 
Total sessions: 1

SRX5600> show security flow session    

Flow Sessions on FPC4 PIC1:
Total sessions: 0

Flow Sessions on FPC4 PIC2:

Session ID: 181555326, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
  In: 61.28.240.7/46408 --> 61.28.240.1/22;tcp, If: xe-5/0/0.2025, Pkts: 2902, Bytes: 211617, CP Session ID: 182846046
  Out: 61.28.240.1/22 --> 61.28.240.7/46408;tcp, If: .local..0, Pkts: 1866, Bytes: 382195, CP Session ID: 182846046

Session ID: 181556134, Policy name: T1/4, Timeout: 60, Valid
  In: 61.28.241.14/1210 --> 61.28.240.10/2121;udp, If: xe-5/0/0.2026, Pkts: 316414, Bytes: 8859592, CP Session ID: 181975112
  Out: 61.28.240.10/2121 --> 61.28.241.14/1210;udp, If: xe-5/0/0.2025, Pkts: 0, Bytes: 0, CP Session ID: 181975112
Total sessions: 2

Flow Sessions on FPC4 PIC3:
Total sessions: 0

SRX5600> show interfaces xe-5/0/0.2026 extensive
  Logical interface xe-5/0/0.2026 (Index 71) (SNMP ifIndex 621) (Generation 136)
    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.2026 ]  Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :            280000612
     Output bytes  :                 2098
     Input  packets:             10000010
     Output packets:                   31
    Local statistics:
     Input  bytes  :                  192
     Output bytes  :                  138
     Input  packets:                    3
     Output packets:                    3
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: VLAN2026
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0

TEST 2:

We sent similar stream in TEST 1 but to different destination. In this case, we sent to no existing IP/subnet: 61.28.242.10:2121. We expected the packets is dropped silently because of no route to that destination and didn't deplete SPU resources. But the result was different, SPU utilization got 99%!

SRX5600> show security monitoring
                  Flow session   Flow session     CP session     CP session 
FPC PIC CPU Mem        current        maximum        current        maximum
  4   0   0  11              0              0              0              0
  4   1   0   5              1        6291456              1        7549747
  4   2   0   5              1        6291456              1        7549747
  4   3  99   5         132060        6291456              1        7549747
Total Sessions:         132062       18874368              3       22649241

SRX5600> show security flow statistics 

  Flow Statistics of FPC4 PIC1:
    Current sessions: 1
    Packets forwarded: 84
    Packets dropped: 2
    Fragment packets: 0

  Flow Statistics of FPC4 PIC2:
    Current sessions: 1
    Packets forwarded: 505
    Packets dropped: 7
    Fragment packets: 0

  Flow Statistics of FPC4 PIC3:
    Current sessions: 0
    Packets forwarded: 9919326
    Packets dropped: 459624
    Fragment packets: 0

  Flow Statistics Summary:
    System total valid sessions: 2
    Packets forwarded: 9919915
    Packets dropped: 459633
    Fragment packets: 0

SRX5600> show security flow cp-session    

DCP Flow Sessions on FPC4 PIC0:
Total sessions: 0

DCP Flow Sessions on FPC4 PIC1:

Session ID: 170756285, SPU: 17, Invalidated
  In: 61.28.241.14/33986 --> 172.16.97.6/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 173520009, SPU: 17, Pending
  In: 61.28.240.11/43024 --> 172.16.97.6/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 174609306, SPU: 17, Invalidated
  In: 61.28.240.11/42828 --> 172.16.97.10/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 174973268, SPU: 17, Valid
  In: 61.28.240.7/58102 --> 61.28.240.1/161;udp, 
  Out: 61.28.240.1/161 --> 61.28.240.7/58102;udp, 
Total sessions: 4

DCP Flow Sessions on FPC4 PIC2:

Session ID: 181973328, SPU: 18, Invalidated
  In: 61.28.240.7/41286 --> 122.201.9.245/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 182189245, SPU: 18, Invalidated
  In: 61.28.240.10/33380 --> 122.201.9.245/10051;tcp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 182846046, SPU: 18, Valid
  In: 61.28.240.7/46408 --> 61.28.240.1/22;tcp, 
  Out: 61.28.240.1/22 --> 61.28.240.7/46408;tcp, 
Total sessions: 3

DCP Flow Sessions on FPC4 PIC3:

Session ID: 196756651, SPU: 19, Pending
  In: 61.28.241.14/1210 --> 61.28.242.10/2121;udp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 

Session ID: 197093279, SPU: 19, Invalidated
  In: 61.28.241.14/1210 --> 61.28.242.10/2121;udp, 
  Out: 0.0.0.0/0 --> 0.0.0.0/0;0, 
Total sessions: 2

SRX5600> show security flow session    

Flow Sessions on FPC4 PIC1:

Session ID: 171768053, Policy name: self-traffic-policy/1, Timeout: 60, Valid
  In: 61.28.240.7/58102 --> 61.28.240.1/161;udp, If: xe-5/0/0.2025, Pkts: 652, Bytes: 49934, CP Session ID: 174973268
  Out: 61.28.240.1/161 --> 61.28.240.7/58102;udp, If: .local..0, Pkts: 652, Bytes: 50687, CP Session ID: 174973268
Total sessions: 1

Flow Sessions on FPC4 PIC2:

Session ID: 181555326, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
  In: 61.28.240.7/46408 --> 61.28.240.1/22;tcp, If: xe-5/0/0.2025, Pkts: 8195, Bytes: 570557, CP Session ID: 182846046
  Out: 61.28.240.1/22 --> 61.28.240.7/46408;tcp, If: .local..0, Pkts: 6388, Bytes: 1465119, CP Session ID: 182846046
Total sessions: 1

Flow Sessions on FPC4 PIC3:
Total sessions: 0

SRX5600> show interfaces xe-5/0/0.2026 extensive 

  Logical interface xe-5/0/0.2026 (Index 71) (SNMP ifIndex 621) (Generation 136)
    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.2026 ]  Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :            280000732
     Output bytes  :                 5322
     Input  packets:             10000012
     Output packets:                   75
    Local statistics:
     Input  bytes  :                  192
     Output bytes  :                  138
     Input  packets:                    3
     Output packets:                    3
    Transit statistics:
     Input  bytes  :                    0                  480 bps
     Output bytes  :                    0                  464 bps
     Input  packets:                    0                    1 pps
     Output packets:                    0                    1 pps
    Security: Zone: VLAN2026
    Flow Statistics :  
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0 
    Flow Output statistics: 
      Multicast packets :                0
      Bytes permitted by policy :        0 
    Flow error statistics (Packets dropped due to): 
      Address spoofing:                  0
      Authentication failed:             0
      Incoming NAT errors:               0
      Invalid zone received packet:      0
      Multiple user authentications:     0 
      Multiple incoming NAT:             0
      No parent for a gate:              0
      No one interested in self packets: 0       
      No minor session:                  0 
      No more sessions:                  0
      No NAT gate:                       0 
      No route present:                  463406 
      No SA for incoming SPI:            0 
      No tunnel found:                   0
      No session for a gate:             0 
      No zone or NULL zone binding       0
      Policy denied:                     0
      Security association not active:   0 
      TCP sequence number out of window: 0
      Syn-attack protection:             0
      User authentication errors:        0

We affraid there was something wrong in the routing config and force a discard default route but nothing better.

SRX5600> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:00:11
                      Discard
61.28.240.0/24     *[Direct/0] 5d 03:35:49
                    > via xe-5/0/0.2025
61.28.240.1/32     *[Local/0] 5d 03:35:52
                      Local via xe-5/0/0.2025
61.28.241.0/24     *[Direct/0] 5d 03:35:49> via xe-5/0/0.2026
61.28.241.1/32     *[Local/0] 5d 03:35:52
                      Local via xe-5/0/0.2026

SRX5600> show security monitoring    

                  Flow session   Flow session     CP session     CP session 
FPC PIC CPU Mem        current        maximum        current        maximum
  4   0   0  11              0              0              0              0
  4   1   0   5              4        6291456              3        7549747
  4   2   0   5             10        6291456              5        7549747
  4   3  99   5         133320        6291456              5        7549747
Total Sessions:         133334       18874368             13       22649241

Could you please explain for me why SPU got 99% in TEST 2? Because 500K pps stream is far more under SPC II limit which spectify support 5Mpps/SPC ~ 1.25Mpps/SPU?

Thank you in advance,

Trung

Hi,

I have a SRX 1400 where I have 1 NPC+SPC. Version is 12.1R5.5 which is very old so I can't go on expanding SPC.

In cp session i can see below which points that max session are 1048576. However in flow session I can see only 50%.

show security flow cp-session summary

Valid sessions: 499207
Pending sessions: 4312
Invalidated sessions: 11596
Sessions in other states: 0
Total sessions: 515115
Maximum sessions: 1048576
Maximum inet6 sessions: 524288

node1:
--------------------------------------------------------------------------

Valid sessions: 0
Pending sessions: 0
Invalidated sessions: 0
Sessions in other states: 0
Total sessions: 0
Maximum sessions: 1048576
Maximum inet6 sessions: 524288

show security flow session summary
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC1 PIC0:
Unicast-sessions: 497112
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 2897834221
Sessions-in-use: 506030
  Valid sessions: 496335
  Pending sessions: 1
  Invalidated sessions: 9694
  Sessions in other states: 0
Maximum-sessions: 524288

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC1 PIC0:
Unicast-sessions: 0
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 0
  Valid sessions: 0
  Pending sessions: 0
  Invalidated sessions: 0
  Sessions in other states: 0
Maximum-sessions: 524288

What i feel that 50% is used by inet6. Can you confirm.

If it is used by inet6 then i see below which means inet6 is not configured:-

show security flow status
node0:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

node1:
--------------------------------------------------------------------------
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: drop
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
  Flow trace status
    Flow tracing status: off

How to check how 50% of inet6 sessions are reserved? What can be done in order to use whole cp session in flow session ?

Thanks in advance