Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

VPN Packets from ISG to SRX are Dropped Due to Out of Sequence Packets with Replay Protection Enabled

0

0

Article ID: KB26671 KB Last Updated: 27 Dec 2017Version: 5.0
Summary:
This article provides information on how to resolve replay attack issues generated by ISG or NS5000 due to out of sequence VPN Packets.
Symptoms:
Customers are having issues with the traffic flow going through the VPN tunnel. 
VPN Packets are dropped.
Solution:
When under load, ISG and NS5000 devices may be sending VPN packets out of sequence, which will appear on the peer as if there was a replay attack.  For further details on this, see KB22051 - [ScreenOS] Why disable VPN engines, and how?

There are two solutions to address this issue. 
Option 1 - Disable replay protection on the SRX device.   This is done by specifying no-anti-replay on the IPSec Phase 2 configuration.
Example:
vpn home-vpn {
    bind-interface st0.2;
    vpn-monitor {
        source-interface ge-0/0/1.0;
        destination-ip 10.10.10.198;
    }
    ike {
        gateway home-gw;
        no-anti-replay;
        ipsec-policy ipsec-pol;
    }
    establish-tunnels immediately;
}

Option 2 - Disable one or more VPN Engines on the ISG or NS5000 firewall.  Every ASIC Chip on the firewall has 4 VPN engines, each encrypting/decrypting ESP traffic independently. The 'Out of Sequence' issue arises when one engine sends out ESP packet with a higher sequence number while another engine sends out a packet with lesser sequence number later.

Use either of the following two methods to change the VPN engine behavior.

Method 1 -Changing the SPI behavior using two VPN engines to encrypt the traffic and the other two VPN engines to decrypt the traffic per ASIC. This will not eliminate the issue totally, but by using only 2 engines to encrypt (instead of default 4), the frequency of the issue will reduce considerably.

  1. Upgrade the device to ScreenOS 5.4, 6.1, 6.2, or 6.3.
  2. set env correct_spi=yes
  3. Reset the firewall.
  4. Run get env  to see the following output:
    correct_spi=yes
Setting correct_spi=yes, allows the two VPNs engines to encrypt and the other two VPN engines to decrypt per ASIC.
NOTE: This command does not disable any VPN engine.

Method 2 -   Disabling the VPN engines (one, two or three engines) .
  1. To disable one VPN engine:
    1. Run: set env correct_seq=yes
    2. Reset the firewall.
    3. Run: get env
    4. Verify the output displays: correct_seq=yes
  2. To disable two VPN engines:
    1. Run: set env correct_seq2=yes
    2. Reset the firewall.
    3. Run: get env
    4. Verify the output displays: correct_seq2=yes
  3. To disable three VPN engines:
    1. Run: set env correct_seq3=yes
    2. Reset the firewall.
    3. Run: get env
    4. Verify the output displays: correct_seq3=yes

Note: Disabling VPN engines might lead to VPN traffic performance related issues, as the load of handling VPN packets will be performed only by lesser number of engines. Also, it might lead to packet drops, if the VPN engines are overwhelmed by the VPN traffic. Especially when 3 engines are disabled, load will be handled by only one engine; so always be careful before disabling three VPN engines.
Modification History:
2017-12-07: Article reviewed for accuracy. Content clarified and format corrected. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search