Hi all,
There is 80 spokes and 2 hubs. please see configuations:
HUB:
650srxHUB> show configuration | display set | match grp_ike_GW_store-common_parameters
set groups grp_ike_GW_store-common_parameters security ike gateway <*> ike-policy policy-ike
set groups grp_ike_GW_store-common_parameters security ike gateway <*> dead-peer-detection
set groups grp_ike_GW_store-common_parameters security ike gateway <*> external-interface ge-1/0/1.0
set security ike apply-groups grp_ike_GW_store-common_parameters
650srxHUB> show configuration security ike | display set
Set security ike apply-groups grp_ike_GW_store-common_parameters
set security ike proposal proposal_ike authentication-method pre-shared-keys
set security ike proposal proposal_ike dh-group group2
set security ike proposal proposal_ike authentication-algorithm sha1
set security ike proposal proposal_ike encryption-algorithm aes-256-cbc
set security ike proposal proposal_ike lifetime-seconds 86400
set security ike policy policy-ike mode aggressive
set security ike policy policy-ike proposals proposal_ike
set security ike policy policy-ike pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXX"
set security ike gateway gw-ike-store13 dynamic hostname ZZZZZZZ
set security ike gateway gw-ike-store17 dynamic hostname QQQQQQQ
set security ike gateway gw-ike-store25 dynamic hostname WWWWWWW
....
......
........
650srxHUB> show configuration security ipsec | display set
set security ipsec apply-groups grp-ipsec-vpn-common-parameters
set security ipsec vpn-monitor-options interval 2
set security ipsec vpn-monitor-options threshold 3
set security ipsec proposal pro-ipsec protocol esp
set security ipsec proposal pro-ipsec authentication-algorithm hmac-sha1-96
set security ipsec proposal pro-ipsec encryption-algorithm aes-256-cbc
set security ipsec proposal pro-ipsec lifetime-seconds 3600
set security ipsec policy po-ipsec proposals pro-ipsec
set security ipsec vpn ipsec-vpn-dc-to-store13 bind-interface st0.13
set security ipsec vpn ipsec-vpn-dc-to-store13 ike gateway gw-ike-store13
set security ipsec vpn ipsec-vpn-dc-to-store17 bind-interface st0.17
set security ipsec vpn ipsec-vpn-dc-to-store17 ike gateway gw-ike-store17
set security ipsec vpn ipsec-vpn-dc-to-store25 bind-interface st0.25
.....
.......
..........
Spokes:
240srxspoke> show configuration security ike | display set
set security ike proposal proposal_ike authentication-method pre-shared-keys
set security ike proposal proposal_ike dh-group group2
set security ike proposal proposal_ike authentication-algorithm sha1
set security ike proposal proposal_ike encryption-algorithm aes-256-cbc
set security ike proposal proposal_ike lifetime-seconds 86400
set security ike policy policy-ike mode aggressive
set security ike policy policy-ike proposals proposal_ike
set security ike policy policy-ike pre-shared-key ascii-text "XXXXXXXXXXXYYYYYYYYYY"
set security ike gateway gatew-ike-xxx-SecGateHub_001 ike-policy policy-ike
set security ike gateway gatew-ike-xxx-SecGateHub_001 address 10.10.10.148
set security ike gateway gatew-ike-xxx-SecGateHub_001 dead-peer-detection
set security ike gateway gatew-ike-xxx-SecGateHub_001 local-identity hostname XXXXXXXX
set security ike gateway gatew-ike-xxx-SecGateHub_001 external-interface at-1/0/0.0--------->adsl
set security ike gateway gatew-ike-xxx-SecGateHub_002 ike-policy policy-ike
set security ike gateway gatew-ike-xxx-SecGateHub_002 address 10.20.10.149
set security ike gateway gatew-ike-xxx-SecGateHub_002 dead-peer-detection
set security ike gateway gatew-ike-xxx-SecGateHub_002 local-identity hostname kv1095srx001
set security ike gateway gatew-ike-xxx-SecGateHub_002 external-interface at-1/0/0.0-------->adsl
240srxspoke> show configuration security ipsec | display set
set security ipsec vpn-monitor-options interval 2
set security ipsec vpn-monitor-options threshold 3
set security ipsec proposal pr-ipsec protocol esp
set security ipsec proposal pr-ipsec authentication-algorithm hmac-sha1-96
set security ipsec proposal pr-ipsec encryption-algorithm aes-256-cbc
set security ipsec proposal pr-ipsec lifetime-seconds 3600
set security ipsec policy po-ipsec proposals pr-ipsec
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 bind-interface st0.0
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 vpn-monitor optimized
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 ike gateway gatew-ike-xxx-SecGateHub_001
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 ike ipsec-policy po-ipsec
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB001 establish-tunnels immediately
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 bind-interface st0.1
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 vpn-monitor optimized
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 ike gateway gatew-ike-xxx-SecGateHub_002
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 ike ipsec-policy po-ipsec
set security ipsec vpn ipsec-vpn-store-to-SecGateHUB002 establish-tunnels immediately
240srxspoke>
Some considerations:
1-) 650srxhub>show log kmd------->the following log constantly occurs. Any idea for troubleshooting?
KMD_INTERNAL_ERROR: iked_ui_event_handler: usp ipc connection for iked show CLI was SHUTDOWN due to error in receiving msg or age out of connection or flowd going down etc. Reconnect to pfe..
2-) Therre is no any manual mtu configuration for the st0 interface. Why is MTU: 9192 there? Does this cause a problem?
3-) It is also there is no any manual "Interface flags" config under the st0 at the hub and all spokes. But output shows "Point-To-Point". Is this correct?
4-) Is there any configuration error? what do you think?
5-) "No route present: XXXX -----> how to troubleshoot this on why it inreases?
6-) "No SA for incoming SPI: XXXXXX -----> how to troubleshoot this on why it inreases?
650srxhub>show interfaces extensive st0
Physical interface: st0, Enabled, Physical link is Up
Interface index: 130, SNMP ifIndex: 503, Generation: 133
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192, Speed: Unspecified
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point
Statistics last cleared: Never
Traffic statistics:
Input bytes : 16561729719545 10160800 bps
Output bytes : 33143824397621 58283768 bps
Input packets: 81681946401 9362 pps
Output packets: 85238822440 10482 pps
Thx
A.