|Troubleshooting a Site to Site VPN on a SRX Series Gateway|
|Firewalls - Juniper - SRX Series Gateway|
|Saturday, 27 August 2011 00:00|
Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway.
1. Confirm Configuration
First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter's with the remote end.
admin@srx> show configuration security ike
2. Confirm Phase 1
To confirm the successful completion of Phase 1 run the following command. If Phase 1 fails to complete revisit your Phase 1 parameters using the commands shown in Section 1.
admin@srx> show security ike security-associations
3. Confirm Phase 2
To confirm the successful completion of Phase 2 run the following command. If Phase 2 fails to complete revisist your Phase 2 parameters using the commands shown in Section 1.
admin@srx> show security ipsec security-associations
If Phase 2 has completed you can confirm further details on each of the SA`s (Security Associations) by using the SA index.
admin@srx> show security ipsec security-associations index 131073
4. IPSEC Statistics
To confirm statistics based on the Phase 2 SA run the following command. The output will contain a number of counters. The most interesting of these (for troubleshooting purposes) are the Encrypted and Decrypted counters.
admin@srx> show security ipsec statistics index 131073
5. Perform Debug (Traffic)
If Phase 1 and Phase 2 are both establishing but traffic is still not passing the VPN tunnel, a packet-filter traffic debug of the tunnel will provide further granularity into each of the steps the packet takes.
6. Perform Debug (Crypto)
To debug the crypto engine the following commands are run.
A useful tip when viewing the debug logs is to tail the file via the shell whilst also removing the empty lines. This a) makes it easier to view and 2) also (as long as your ssh client buffer is configured correctly) allows you to go back over previous output should the debug log reach its maximum size.
root@srx100> start shell
- How to configure a Cisco ASA Site to Site VPN between Static and Dynamic IP based Peers ?
- Django - How do I create a custom login page ?
- How do I connect to a serial device using a USB-to-Serial Convertor in Linux ?
- Incapsula (Review) - How to Protect and Secure your website in 10 minutes
- Window doesn't show when using Cisco VPN Client 5.x / Windows 7
- How to Fix Unreadable Directory Listings within Shell
- Python - List Comprehensions
- Python - What does 'if __name__ == "__main__"' mean ?
- Python - Decorators
- BIGIP F5 LTM - Action on Service Down
- Brocade ADX - How do I bind multiple ports to a single healthcheck ?
- MySQL - How to reset a forgotten Root password
- Django - How can I pass a string from a URL to a view ?
- Vyatta - Unable to log into GUI : "Username or password is incorrect"
- Cisco ASA - How do VPN Filters work ?
- How do I use AJAX along side Django ?
- Outlook 2010 - The 'Delete Conversation' Shortcut
- How do I import a python module from another folder ?
- How do I configure Django to serve my Robots.txt file ?
- Brocade ADX - The Dynamic Weighted Predictor
- Proxy ARP – SPLAT
- Check Point Commands
- IPSO - Commands
- ASA 8.3 - Auto NAT Examples
- vSphere - Creating User and Group Permissions
- How to set the Time / Date and Timezone in CentOS
- Configuring Windows 2008 R2 as an NTP Server
- Juniper Netscreen Commands
- Configuring Wireless Connectivity within Backtrack 4 r2
- PEMU - Free Cisco PIX Firewall Emulator / Simulator
- Juniper Netscreen - NAT Explained
- How do I install snmpwalk / snmpget using Yum ?
- Troubleshooting a Netscreen Site 2 Site VPN
- Netscreen - NSRP
- Check Point Logging Troubleshooting Guide
- How do I configure IPv6 in Windows XP ?
- Check Point - How to Reset SIC
- VI shows the error Terminal too wide within Solaris
- Endpoint Connect Installation / Troubleshooting Guide
- ESX Convertor - The session is not authenticated