Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX does not allow the VPN tunnel to be established on the ST1 interface

0

0

Article ID: KB24647 KB Last Updated: 03 Jul 2013Version: 2.0
Summary:
This article describes the issue with the SRX device not allowing the VPN tunnel to be established on the ST1 interface.

Symptoms:
When the ST1 interface is configured, the tunnel connection will not be established.

Cause:
The ST1 interface is not supported to terminate VPN in JUNOS. This is by design.

Solution:
  • Currently, SRX does not support the ST1 tunnel interface to terminate VPN connections by design.

  • The supported range of tunnel interfaces is st0.0 to st0.16385.

  • If ST1 is configured, then Junos will not generated any errors and it will let you commit; but the VPN will not come up. Even the Interface will not come up.
    root@D10_31-SRX650-Branch1# show | display set | match st1
    set interfaces st1 unit 0 family inet address 50.50.50.1/24
    set protocols ospf area 0.0.0.0 interface st1.0
    set security ipsec vpn VPN-HQ bind-interface st1.0
    set security zones security-zone VPN interfaces st1.0 host-inbound-traffic system-services ping
    set security zones security-zone VPN interfaces st1.0 host-inbound-traffic protocols ospf

    [edit]
    root@D10_31-SRX650-Branch1# run show interfaces terse | match st1

  • No ST1 output was found and the interface did not come up at all:
    [edit]
    root@D10_31-SRX650-Branch1# replace pattern st1 with st0

    [edit]
    root@D10_31-SRX650-Branch1# commit

    [edit]
    root@D10_31-SRX650-Branch1# show | display set | match st0
    set interfaces st0 unit 0 family inet address 50.50.50.1/24
    set protocols ospf area 0.0.0.0 interface st0.0
    set security ipsec vpn VPN-HQ bind-interface st0.0
    set security zones security-zone VPN interfaces st0.0 host-inbound-traffic system-services ping
    set security zones security-zone VPN interfaces st0.0 host-inbound-traffic protocols ospf

    [edit]
    root@D10_31-SRX650-Branch1# run show interfaces terse | match st0
    st0 up up
    st0.0 up up inet 50.50.50.1/24

    [edit]
    root@D10_31-SRX650-Branch1# run ping 50.50.50.1
    PING 50.50.50.1 (50.50.50.1): 56 data bytes
    64 bytes from 50.50.50.1: icmp_seq=0 ttl=64 time=6.111 ms


    [edit]
    root@D10_31-SRX650-Branch1# run show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    1347761 UP 4b29f5b137069c92 a90da5de9356597a Main 1.1.2.1


    root@D10_31-SRX650-Branch1# run show security ipsec security-associations
    Total active tunnels: 1
    ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
    <131073 ESP:3des/sha1 fcb6f81b 3583/ unlim U root 500 1.1.2.1
    >131073 ESP:3des/sha1 84252e31 3583/ unlim U root 500 1.1.2.1


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search