VPN (Policy Based) not working after HA configured (Active Passive)

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[knizamm]

Hi guys... i've encountered a problem. When running single SRX3600, the VPN is working fine. After i configure chassis cluster with another unit of SRX3600, it seems that the VPN can't be established even it is phase 1. The difference is in cluster mode, i've configured 2 physical trust interfaces into single redundant interface and 2 physical untrust interfaces into single redundant interface. FYI, other fw function is working fine except VPN. I'm running 9.6R1.13.

[screenie.]

Hi,

what does show log kmdlog tells you about what's going wrong?

[knizamm]

Hi screenie,

Nothing much....

Aug 24 16:00:42 Group/Shared IKE ID VPN configured: 0
Aug 24 16:07:05 Group/Shared IKE ID VPN configured: 0
Aug 25 09:59:08 Group/Shared IKE ID VPN configured: 0
Aug 25 10:02:24 Group/Shared IKE ID VPN configured: 0
Aug 27 21:50:41 Group/Shared IKE ID VPN configured: 0
Aug 27 21:52:21 Group/Shared IKE ID VPN configured: 0
Aug 27 21:52:56 Group/Shared IKE ID VPN configured: 0
Aug 27 21:53:56 Group/Shared IKE ID VPN configured: 0
Aug 27 21:55:16 Group/Shared IKE ID VPN configured: 0
Aug 27 21:56:23 Group/Shared IKE ID VPN configured: 0
Aug 27 21:56:51 Group/Shared IKE ID VPN configured: 0
Aug 27 21:57:58 Group/Shared IKE ID VPN configured: 0
Aug 27 21:58:14 Group/Shared IKE ID VPN configured: 0
Aug 27 22:21:55 KMD_INTERNAL_ERROR: Error:File exists in adding SA config for tunnel id 4 spi 0
Aug 27 22:36:36 Group/Shared IKE ID VPN configured: 0
Aug 27 22:37:07 Group/Shared IKE ID VPN configured: 0
Aug 28 11:06:39 Group/Shared IKE ID VPN configured: 0
Aug 28 12:13:26 Group/Shared IKE ID VPN configured: 0
Sep  2 09:51:03 Group/Shared IKE ID VPN configured: 0
Sep  2 09:51:23 Group/Shared IKE ID VPN configured: 0
Sep  2 09:52:03 Group/Shared IKE ID VPN configured: 0
Sep  2 09:56:59 Group/Shared IKE ID VPN configured: 0
Sep  2 09:58:06 Group/Shared IKE ID VPN configured: 0
Sep  2 09:58:38 Group/Shared IKE ID VPN configured: 0
Sep  2 09:59:29 Group/Shared IKE ID VPN configured: 0
Sep  2 10:00:30 Group/Shared IKE ID VPN configured: 0
Sep  2 10:00:43 Group/Shared IKE ID VPN configured: 0
Sep  2 10:01:32 Group/Shared IKE ID VPN configured: 0
Sep  2 10:01:53 Group/Shared IKE ID VPN configured: 0
Sep  2 10:02:34 Group/Shared IKE ID VPN configured: 0
Sep  2 10:03:12 Group/Shared IKE ID VPN configured: 0
Sep  2 10:03:26 Group/Shared IKE ID VPN configured: 0
Sep  2 10:03:55 Group/Shared IKE ID VPN configured: 0
Sep  2 10:04:24 Group/Shared IKE ID VPN configured: 0
Sep  2 14:09:53 Group/Shared IKE ID VPN configured: 0
Sep  2 14:18:23 Group/Shared IKE ID VPN configured: 0
Sep  2 14:18:57 Group/Shared IKE ID VPN configured: 0
Sep  2 15:23:05 KMD_INTERNAL_ERROR: Exit at kmd_process_die_peacefully 744
Sep  2 16:42:29 Group/Shared IKE ID VPN configured: 0
Sep  2 16:42:29 Obsolete parameter length_of_local_secret is not set to zero in ssh_ike_init
Sep  2 16:42:29 Obsolete parameter token_hash_type is not set to zero in ssh_ike_init

My concern is when running single fw, the vpn initiated and reply at the same physical interface which is working fine but in cluster mode, the initiated from virtual interface (reth0) and reply going to physical interface. Kindly advise.

Thanks.

[screenie.]

But did you specify reth0 as outgoing interface?

[knizamm]

Yup, have change it from ge-0/0/0 to reth0. From Juniper docs, it specified reth0.0. Is there any difference?

        proposal toEDC {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy toEDC {
            mode main;
            proposals toEDC;
        }
        gateway toEDC {
            ike-policy toEDC;
            address 192.228.122.101;
            external-interface reth0;
        }

[dawsonpaul]

knizamm - did you manage to sort this?

[stolmik]

hi
i have the same issue but with route-based vpn. reth0.0 on clustered srx3400 don't see any ike\ipsec packets at all! neither incoming nor outgoing. i created a case in JTAC. so let's see what they find out.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• Netscreen 5xp by timeshadowrider [Today at 11:51:22 AM]
• UAC, PXE and SMS with Ody... by Snok [Today at 10:38:28 AM]
• RDP, Web, etc Quit Workin... by darkonex [Today at 09:27:17 AM]
• Multicast routing enigma.... by Di4bLo [Today at 09:26:57 AM]
• integration of juniper fi... by everyourskishore [Today at 07:16:57 AM]
• Switching and forwarding ... by rafibd71 [Today at 01:46:52 AM]
• SRX LDAP server function ... by littlething [Yesterday at 11:43:13 PM]
• Branch office VPN to Lan ... by holdenga [Yesterday at 11:29:04 PM]
• Netscreen-10 and 5GT peer... by lil_tud [Yesterday at 08:19:51 PM]
• 2 ISP's and routing by DubBhoy [Yesterday at 10:13:39 AM]

Members

• Total Members: 20486
• Latest: Snok

Stats

• Total Posts: 38002
• Total Topics: 9817
• Online Today: 65
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 2
Guests: 46
Total: 48

timeshadowrider
wjens