Troubleshooting a Site to Site VPN on a SRX Series Gateway

Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway.

1. Confirm Configuration

First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end.

admin@srx> show configuration security ike
admin@srx> show configuration security ipsec

{loadposition content_lock}

2. Confirm Phase 1

To confirm the successful completion of Phase 1 run the following command. If Phase 1 fails to complete revisit your Phase 1 parameters using the commands shown in Section 1.

admin@srx> show security ike security-associations
node1:
————————————————————————–
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
6950    [LOCAL PEER IP]  UP     33204fba87663d94  70acacd5f938f89b  Main

3. Confirm Phase 2

To confirm the successful completion of Phase 2 run the following command. If Phase 2 fails to complete revisist your Phase 2 parameters using the commands shown in Section 1.

admin@srx> show security ipsec security-associations
node1:
————————————————————————–
Total active tunnels: 2
ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
<131073 [LOCAL PEER IP] 500   ESP:aes-128/sha1 4fb2c1cc 2041/ unlim  –   root
>131073 [LOCAL PEER IP] 500   ESP:aes-128/sha1 3e576ead 2041/ unlim  –   root

If Phase 2 has completed you can confirm further details on each of the SA`s (Security Associations) by using the SA index.

admin@srx> show security ipsec security-associations index 131073
node1:
————————————————————————–
Virtual-system: root
Local Gateway: [REMOTE PEER IP], Remote Gateway: [LOCAL PEER IP]
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Direction: inbound, SPI: 4fb2c1cc, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 3e576ead, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining:  Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

4. IPSEC Statistics

To confirm statistics based on the Phase 2 SA run the following command. The output will contain a number of counters. The most interesting of these (for troubleshooting purposes) are the Encrypted and Decrypted counters.

admin@srx> show security ipsec statistics index 131073
node1:
————————————————————————–
ESP Statistics:
Encrypted bytes:        133593600
Decrypted bytes:       1128704777
Encrypted packets:         923864
Decrypted packets:        1438716
AH Statistics:
Input bytes:                    0
Output bytes:                   0
Input packets:                  0
Output packets:                 0
Errors:
AH authentication failures: 0, Replay errors: 1021
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

5. Perform Debug (Traffic)

If Phase 1 and Phase 2 are both establishing but traffic is still not passing the VPN tunnel, a packet-filter traffic debug of the tunnel will provide further granularity into each of the steps the packet takes.

admin@srx> configuration
admin@srx# edit security flow traceoptions

[edit security flow traceoptions]
admin@srx# set file vpn-debug
admin@srx# set flag basic-datapath
admin@srx# set flag packet-drops
admin@srx# set level 15

admin@srx# set packet-filter filter1 source-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter1 destination-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter1 protocol esp
admin@srx# set packet-filter filter2 destination-prefix [LOCAL PEER IP]
admin@srx# set packet-filter filter2 source-prefix [REMOTE PEER IP]
admin@srx# set packet-filter filter2 protocol esp

admin@srx# set packet-filter filter3 destination-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter3 destination-port ssh
admin@srx# set packet-filter filter3 protocol tcp
admin@srx# set packet-filter filter4 source-prefix [INTERNAL SERVER IP]
admin@srx# set packet-filter filter4 destination-port ssh
admin@srx# set packet-filter filter4 protocol tcp

admin@srx# run show log vpn-debug

6. Perform Debug (Crypto)

To debug the crypto engine the following commands are run.

admin@srx> configuration
admin@srx# edit security ike traceoptions

[edit security ike traceoptions]
admin@srx# set file vpn-debug-ike
admin@srx# set flag all
admin@srx# set level 15
admin@srx# top

[edit]
admin@srx# edit security ipsec traceoptions

[edit security ipsec traceoptions]
admin@srx# set file vpn-debug-ipsec
admin@srx# set flag all
admin@srx# set level 15

admin@srx# run show log vpn-debug-ike
admin@srx# run show log vpn-debug-ipsec

7. Additional

A useful tip when viewing the debug logs is to tail the file via the shell whilst also removing the empty lines. This a) makes it easier to view and 2) also (as long as your ssh client buffer is configured correctly) allows you to go back over previous output should the debug log reach its maximum size.

root@srx100> start shell
root@srx100% tail -f /var/log/[logfile] | grep -Evi ^$

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial