Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to analyze IKE Phase 1 VPN connection issues

0

0

Article ID: KB10101 KB Last Updated: 26 Mar 2020Version: 13.0
Summary:

This article shows you how to review VPN connection issues related to IKE Phase 1 not establishing and verify settings if no IKE Phase 1 messages are seen.

Symptoms:

Symptoms:

  • IKE Phase 1 is not UP. 
  • The output of the show security ike security-associations command reports that the state is DOWN for the remote address of the VPN.
  • The remote address of the VPN is not listed in the output of the show security ike security-associations command.
Solution:

Troubleshooting IKE Phase 1 problems is best handled by reviewing VPN status messages on the responder firewall. The responder is the "receiver" side of the VPN that is receiving the tunnel setup requests. The initiator is the side of the VPN that sends the initial tunnel setup requests.

  1. Configure a new syslog file, kmd-logs, to capture relevant VPN status logs on the responder firewall.
    See: KB10097 - How to configure syslog to display VPN status messages

    Don't forget to attempt to bring the VPN tunnel up again, so that the messages are captured in kmd-logs.
  2. Run the command show log kmd-logs, and look for Phase 1 errors:

    Note: Refer to for a listing of common IKE connection errors  KB30548:IKE Phase 1 VPN status messages

    • If you are unable to locate any Phase 1 messages, continue to Step 3.
  3. If the VPN is a route-based VPN, verify that a st0.x interface is bound to the VPN with the command:

    root@CORPORATE# show security ipsec
    policy ipsec_pol {
        proposal-set compatible;
    }
    vpn vpn1 {
        bind-interface st0.0;
        ike {
            gateway ike-vpn-srx1;
            ipsec-policy ipsec_pol;
        }
    }
    
    Is there a st0 interface bound to the VPN?
    • Yes - Continue with Step 4.
    • No, I am using a policy-based VPN - Continue with Step 4.
    • No - Bind the st0 interface to the VPN: 

        set security ipsec vpn "vpn_name" bind-interface st0.X

      To do this using J-Web:
      • Go to Configuration > IPSec VPN > Auto Tunnel> Phase II.
      • Select the VPN tunnel in question and click Edit.
      • Click on the pull-down list for Bind to tunnel interface.
      • Select the st0 interface.
      • Click OK.  
  4. Is the VPN Gateway configured to use the correct outgoing interface?  For further assistance, see KB10121 - How to determine if the IPsec IKE Gateway is configured for the correct outgoing interface?.

    • Yes - Continue with Step 5.
    • No  - Adjust the IKE Gateway's outgoing interface  to the correct outgoing interface.
  5. Is the SRX configured to allow IKE for host-inbound-traffic if SRX is to be responder device?

    1. Locate the VPN external interface: 
      root@CORPORATE# show security ike
      policy ike_pol {
          mode main;
          proposal-set compatible;
          pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
      }
      gateway gw_srx1 {
          ike-policy ike_pol;
          address 2.2.2.2;
          external-interface ge-0/0/8;
      }
      
    2. Locate the security zone associated with the external-interface:
            root@CORPORATE# show security zones | display set | match ge-0/0/8
            set security zones security-zone untrust interfaces ge-0/0/8.0

    3. Verify that interface or zone allows host-bound IKE traffic:  
      root@CORPORATE# show security zones security-zone untrust
      interfaces {
          ge-0/0/8.0 {
              host-inbound-traffic {
                  system-services {
                      ike;
                  }
              }
          }
      } 
      
    NOTE:  If the VPN is to be used for Dynamic Endpoint connections from NCP clients using NCP Pathfinder, include the option of system-services 'tcp-encap' 
     
    • Yes - Continue with Step 6.
    • No   - Enable IKE for the external interface:
      root@CORPORATE# set security zones security-zone interface host-inbound-traffic system-services ike
      root@CORPORATE# commit
  6. Enable 'per tunnel debug' detailed logging (traceoptions), and analyze the output.

    Read: KB19943 - How to enable VPN (IKE/IPsec) traceoptions for only specific SAs (Security Associations)

  7. If still not resolved, collect logs and open a case with your technical support representative. 

    Read: KB21781 - [SRX] Data Collection Checklist - Logs/data to collect for troubleshooting
     


    See the Related Links section for more configuration and troubleshooting resources.

Modification History:
2020-03-26: Removed message log examples related to old version of Junos.
                     Included reference to use of tcp-encap system service.
2020-02-25: Minor, non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search