This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I'he a problem, our company has three sites connected by ipsec vpn. We are using a fvs318n and two srxn3205.
Suddenly, after many months of use, the ipsec vpn doesn't connect between the two srxn3205.
I would ask your support to solve this problem.
This is a vpn log for one of the srxn3205, I replaced firewalls ip address with ipA and ipB.
2016 Aug 23 12:21:15 [SRXN3205] [IKE] Configuration found for ipB._ 2016 Aug 23 12:21:15 [SRXN3205] [IKE] accept a request to establish IKE-SA: ipB _ 2016 Aug 23 12:21:05 [SRXN3205] [IKE] Setting DPD Vendor ID_ 2016 Aug 23 12:21:05 [SRXN3205] [IKE] Beginning Identity Protection mode._ 2016 Aug 23 12:21:05 [SRXN3205] [IKE] Initiating new phase 1 negotiation: ipA [500]<=>ipB [500]_ 2016 Aug 23 12:21:05 [SRXN3205] [IKE] Configuration found for ipB ._ 2016 Aug 23 12:21:05 [SRXN3205] [IKE] accept a request to establish IKE-SA: ipB _ 2016 Aug 23 12:21:01 [SRXN3205] [IKE] Phase 1 negotiation failed due to time up for ipB [500]. 1fd466d1ef7c98d3:0000000000000000_ 2016 Aug 23 12:20:57 [SRXN3205] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _ 2016 Aug 23 12:20:57 [SRXN3205] [IKE] Invalid SA protocol type: 0_
Already done:
- firewall restarted, one at a time and simultaneously;
- ipsec vpn configurazione deleted and reconfigured on both;
I'm glad to know that all of the VPN tunnels are now established between the FVS318N and the 2 SRXN3205. Its possible that the port you have configured on the firewall rules for the surveillance system have triggered the problem. It would be best that you state what happened to the surveillance system engineers and seek their advise as well.
I've noticed that the current firmware versions on both SRXN3205 and FVS318N are old already. I suggest you to upgrade the firmware of both SRXN3205 and FVS318N in a ladderized manner. For example, you will upgrade the firmware of the FVS318N from v4.2.1-2 to 4.3.0-19 then from v4.3.0-19 to v4.3.1-22 and so on until you reach the latest firmware v4.3.4-1. You may download the firmware versions for the FVS318N on this link. For the SRXN3205 firmware versions, click on this link.
Be reminded that it is recommended to perform a factory reset after doing a firmware upgrade then reconfigure it from scratch. You may want to get a screenshot of all the settings configured on the VPN firewalls as reference before you proceed with the firmware upgrade.
a. We added ad ip address under Security, Firewall, Lan Wan Rules to enable remote access for the surveillance system; this task hab been done on both firewalls.
b. No, the ISP are different. I can ping firewall wan address from one to other and vice versa;
Let us isolate the problem. Have you tried to disable the firewall rule you have newly created on both SRXN3205 then check if the VPN tunnel will establish between the 2 SRXN3205? I ask this because this is the only change you've made before the problem occurred.
I've disabled the rules and now it works! But I don't know how this can interfere with the vpn! However I need a remote access to the surveillance system. Any idea to solve the problem is really appreciate!
Unfortunately, now the problem concerns the connections between the two srxn3205 and the fvs318n. Ipsec vpn doesn't work!
a. What port have you opened on both SRX3205 in the firewall rules you have previously created for the surveillance system?
b. Have you tried to delete the existing VPN and IKE policies between the FVS318N and the 2 SRXN3205 then re-create it using the VPN Wizard then check if the VPN tunnel will establish?
a. on the firs one 10001, on the second one no port configured, only ip address, unfortunately I don't know why, tha configuration has been done by another person;
b. not yet, now it's working as described below;
c. 4.2.1-2.
This morning I found an anomalous traffic between one of the srxn3205 and the fvs318n. I've disabled the surveillance system access on all firewalls and now all the vpns are working.
I suppose a configuration conflict but I don't know how to fix it, perhaps I need to declare a specific port and configure a specific serverice for inbound traffic, I would ask your opinion. I can also contact our surveillance system engineers.
I'm glad to know that all of the VPN tunnels are now established between the FVS318N and the 2 SRXN3205. Its possible that the port you have configured on the firewall rules for the surveillance system have triggered the problem. It would be best that you state what happened to the surveillance system engineers and seek their advise as well.
I've noticed that the current firmware versions on both SRXN3205 and FVS318N are old already. I suggest you to upgrade the firmware of both SRXN3205 and FVS318N in a ladderized manner. For example, you will upgrade the firmware of the FVS318N from v4.2.1-2 to 4.3.0-19 then from v4.3.0-19 to v4.3.1-22 and so on until you reach the latest firmware v4.3.4-1. You may download the firmware versions for the FVS318N on this link. For the SRXN3205 firmware versions, click on this link.
Be reminded that it is recommended to perform a factory reset after doing a firmware upgrade then reconfigure it from scratch. You may want to get a screenshot of all the settings configured on the VPN firewalls as reference before you proceed with the firmware upgrade.
