Knowledge Search


×
 

[SRX] VPN Monitoring causes the IPsec tunnel to bounce

  [KB24133] Show Article Properties


Summary:

This article describes the issue of VPN Monitoring causing the IPsec tunnel to go down.

Symptoms:

In the IPsec tunnel, when IKE Gateway external-interface <interface> is not part of the same zone as that of the incoming packet's zone, VPN Monitoring will drop the tunnel.

In the flow, VPN Monitoring fails to match the tunnel session; so it is dropped:
[0001] T29 <192.168.1.217/1051->172.16.1.3/4500;17> :
[0002] T29 packet [112] ipid = 22110, @799f18e4
[0003] T29 ---- flow_process_pkt: (thd 29): flow_ctxt type 14, common flag 0x0, mbuf 0xc593e00, rtbl_idx = 0
[0004] T29  flow process pak fast ifl 92 in_ifp ge-0/0/0.0
[0005] T29 flow_np_session_id2nsp: NP hdr: session id - 617, Flag - 8
[0006] T29 NP session id - 617 returns Init side nsp -0x353af190
[0007] T29   flow session id 617
[0008] T29   flow_decrypt: tun 353af214(flag 10), iif 92
[0009] T29 dec vector=85829e0.
[0010] T29 In natt_decap Starting NATT decap
[0011] T29 In natt_decap Completed NATT decap
[0012] T29 In natt_decap After NATT decap, pak_ptr->src = a3517d9 and pak_ptr->dst = a39ca03
[0013] T29 dec vector=85829e0. rc 0x0
[0014] T29   ge-0/0/0.0:192.168.1.217->172.16.1.3, 50
[0015] T29  find flow: table 0x55dbb478, hash 266737(0x7ffff), sa 192.168.1.217, da 172.16.1.3, 
sp 10775, dp 41762, proto 50, tok 11 
[0016] T29  find flow: table 0x55dbb478, hash 148807(0x7ffff), sa 192.168.1.217, da 172.16.1.3, 
sp 0, dp 0, proto 50, tok 11 
[0017] T29  find flow: table 0x55dbb478, hash 508417(0x7ffff), sa 0.0.0.0, da 0.0.0.0, sp 10775, 
dp 41762, proto 50, tok 11 
[0018] T29   no session found, start first path. in_tunnel - 893055508, from_cp_flag - 0  
>>>>>> Should be able to match tunnel session here
[0019] T29 Fwd packet with rtbl idx 0, cos 0
[0020] T29 flow_spu_send_invalid_or_no_sess_match_pak_to_cp: In tunnel 893055508 Tunnel info 0x64a00001
[0021] T29 flow_spu_send_invalid_or_no_sess_match_pak_to_cp: Setting header iif to 92
[0022] T29 flow_spu_send_invalid_or_no_sess_match_pak_to_cp: Packet sent to cp 
[0023] T29   flow didn't create session, code=6.
[0024] T29  ----- flow_process_pkt rc 0x11 (fp rc 6)

Cause:

Apart from matching five tuples, the flow will try to match the zone of the packet's incoming interface with the zone of the interface (that is, the external-interface that is associated with the IKE gateway) in the session wing. By design, a tunnel session is created with the external interface of the gateway. To make sure that the incoming packet can match the tunnel session, the incoming interface of the packet must be in the same zone with the external interface of the gateway.

At times, network administrators create a Loopback address as an external interface for the IKE gateway and do not put it in the same zone as the incoming interface or the VPN peer facing interface.

For example, in this case, the external-interface of gateway is lo0.0 and from the flow trace, you can see that the packet's incoming interface is ge-0/0/0.0. As both of the interfaces are not in the same zone, the session lookup fails:


[edit]
root@SRX3600# show security zones | display set | match ge-0/0/0.0 
set security zones security-zone Untrust interfaces ge-0/0/0.0

[edit]
root@SRX3600# show security zones | display set | match lo   
set security zones security-zone VPN interfaces lo0.0

[edit]
root@SRX3600# show interfaces | display set | match lo0  
set interfaces lo0 unit 0 family inet address 172.16.1.3/32


gateway remote-gw {
    ike-policy ike_pol;
    address 192.168.1.217;
    external-interface lo0.0;
}
Solution:

Make sure to configure the lo0.0 interface (ike gateway external-interface) to be part of the same zone as the incoming Interface or VPN Peer facing interface:

delete set security zones security-zone VPN interfaces lo0.0
set security zones security-zone Untrust interfaces lo0.0
So, it is by design that the IKE gateway's external-interface must be in the same zone as the packet's incoming interface or VPN Peer facing interface.
Related Links: