Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Route-based VPN with VRRP interfaces

0

0

Article ID: KB30589 KB Last Updated: 14 Oct 2015Version: 2.0
Summary:

Unable to use a route-based VPN when the outgoing interface is configured as a VRRP interface.

Symptoms:

The outgoing interface is configured as a VRRP interface.  When trying to route traffic through a route-based VPN, traffic fails due to "no route" even if the route exists.

set interface ethernet0/1 ip 10.1.1.1/25
set interface ethernet0/1 route
set interface ethernet0/1:1 ip 10.1.1.2/25
set interface ethernet0/1:1 route
set interface tunnel.3 ip unnumbered interface ethernet0/2
set interface ethernet0/1 protocol vrrp
set interface ethernet0/1 protocol vrrp enable
set interface ethernet0/1:1 protocol vrrp preempt
set interface ethernet0/1:1 protocol vrrp priority 50

set ike gateway "Gateway_Test" address 172.1.1.1 Main outgoing-interface "ethernet0/1:1" preshare "zwQ7amfCNQlEogsNvfCbZG0GPvngLauJ2g==" proposal "pre-g2-3des-sha"
set vpn "VPN_Test" gateway "Gateway_Test" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "VPN_Test" bind interface tunnel.3

set route 192.168.0.5/32 interface tunnel.3

****** 124713.0: <Trust/ethernet0/2> packet received [128]******
ipid = 1451(05ab), @03bf1e10
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:172.22.1.5/7200->192.168.0.5/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 172.22.1.5->192.168.0.5) in vr trust-vr for vsd-0/flag-0/ifp-null
no route to (172.22.1.5->192.168.0.5) in vr trust-vr/0
packet dropped, no route

Cause:

Interface ethernet0/1:1 has VSD group ID 1, but the packet has VSD group ID 0, which it gets from the ingress interface, ethernet0/2. The route lookup requires the VSD group ID of the traffic to match the VSD group ID of the outgoing interface.

Solution:

ScreenOS does not support route-based VPNs over VRRP interfaces.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search