Re: VPN gateway to gateway SRX5308 IPsec SA Established but no traffic

marcobravissimo · ‎2017-10-09

I have 2 srx5308 last firmware upgrated. i

I have two SRX5308 connected gateway to gateway, connect IPsec SA Established but do no traffic. One of them runs the trafficbut the arrive to lan destiantion, if i can tray to monitoring--> ping the result is filed and i can tray Tracerute--> filed I attacced the log:

ONE the make traffic:

Mon Oct 09 18:29:25 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.88.99.194 ->195.100.200.194 with spi=235890753(0xe0f6841)

Mon Oct 09 18:29:25 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.223.231.194->195.88.99.194 with spi=45451481(0x2b588d9)

Mon Oct 09 18:29:25 2017 (GMT +0200): [SRX5308] [IKE] INFO: Initiating new phase 2 negotiation: 195.88.99.194 [0]<=>195.223.231.194[0]

Mon Oct 09 18:29:25 2017 (GMT +0200): [SRX5308] [IKE] INFO: Configuration found for 195.223.231.194.

Mon Oct 09 18:29:25 2017 (GMT +0200): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 10.1.10.0/24<->10.2.10.0/24

Mon Oct 09 18:29:08 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=198068733(0xbce49fd).

Mon Oct 09 18:29:08 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=162319720(0x9accd68).

Mon Oct 09 18:29:08 2017 (GMT +0200): [SRX5308] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.

Mon Oct 09 18:29:03 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.88.99.194 ->195.100.200.194 with spi=162319720(0x9accd68)

Mon Oct 09 18:29:03 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.223.231.194->195.88.99.194 with spi=198068733(0xbce49fd)

Mon Oct 09 18:29:03 2017 (GMT +0200): [SRX5308] [IKE] INFO: Initiating new phase 2 negotiation: 195.88.99.194 [0]<=>195.223.231.194[0]

Mon Oct 09 18:29:03 2017 (GMT +0200): [SRX5308] [IKE] INFO: Configuration found for 195.223.231.194.

Mon Oct 09 18:29:03 2017 (GMT +0200): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 10.1.10.0/24<->10.2.10.0/24

Mon Oct 09 18:29:02 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=31270826(0x1dd27aa).

Mon Oct 09 18:29:02 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=128931250(0x7af55b2).

Mon Oct 09 18:29:02 2017 (GMT +0200): [SRX5308] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.

SECOND firewall no-traffic:

Mon Oct 09 18:30:51 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.88.99.194->195.88.99.194- with spi=45451481(0x2b588d9)

Mon Oct 09 18:30:51 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.88.99.194-->195.88.99.194 with spi=235890753(0xe0f6841)

Mon Oct 09 18:30:51 2017 (GMT +0200): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 10.2.10.0/24<->10.1.10.0/24

Mon Oct 09 18:30:51 2017 (GMT +0200): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: 195.88.99.194[0]<=>195.88.99.194-[0]

Mon Oct 09 18:30:33 2017 (GMT +0200): [SRX5308] [IKE] INFO: Phase 2 sa deleted 195.88.99.194-195.88.99.194-

Mon Oct 09 18:30:33 2017 (GMT +0200): [SRX5308] [IKE] INFO: Sending Informational Exchange: delete payload[]

Mon Oct 09 18:30:33 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] Flushing SAs for peer "195.88.99.194-" with spi 198068733

Mon Oct 09 18:30:29 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.88.99.194->195.88.99.194- with spi=198068733(0xbce49fd)

Mon Oct 09 18:30:29 2017 (GMT +0200): [SRX5308] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 195.88.99.194-->195.88.99.194 with spi=162319720(0x9accd68)

Mon Oct 09 18:30:29 2017 (GMT +0200): [SRX5308] [IKE] INFO: Using IPsec SA configuration: 10.2.10.0/24<->10.1.10.0/24

Mon Oct 09 18:30:29 2017 (GMT +0200): [SRX5308] [IKE] INFO: Responding to new phase 2 negotiation: 195.88.99.194[0]<=>195.88.99.194-[0]

Mon Oct 09 18:30:28 2017 (GMT +0200): [SRX5308] [IKE] INFO: Phase 2 sa deleted 195.88.99.194-195.88.99.194-

Mon Oct 09 18:30:28 2017 (GMT +0200): [SRX5308] [IKE] INFO: Sending Informational Exchange: delete payload[

Mon Oct 09 16:30:28 2017 (GMT +0000): [SRX5308] [IKE] INFO: [IPSEC_VPN] Flushing SAs for peer "195.88.99.194-" with spi 31270826

grazie mille

JohnC_V · ‎2017-10-10

Hi marcobravissimo,

Welcome to our community!

May you be able to attach some screenshots of your configurations?

Regards.

marcobravissimo · ‎2017-10-16

JohnC_V · ‎2017-10-16

@marcobravissimo,

Thank you for your attachments. How is everything connected from these firewalls? Are they connected directly to the back of the modem or Is it connected to a router? If it is still connected to a router, I may advise you to double check if the router was set to full bridge mode. Also, update the firmware to latest version.

Thank you!

Regards,