Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway.
1. Confirm Configuration
First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end.
[email protected]> show configuration security ike
[email protected]> show configuration security ipsec
{loadposition content_lock}
2. Confirm Phase 1
To confirm the successful completion of Phase 1 run the following command. If Phase 1 fails to complete revisit your Phase 1 parameters using the commands shown in Section 1.
[email protected]> show security ike security-associations
node1:
————————————————————————–
Index Remote Address State Initiator cookie Responder cookie Mode
6950 [LOCAL PEER IP] UP 33204fba87663d94 70acacd5f938f89b Main
3. Confirm Phase 2
To confirm the successful completion of Phase 2 run the following command. If Phase 2 fails to complete revisist your Phase 2 parameters using the commands shown in Section 1.
[email protected]> show security ipsec security-associations
node1:
————————————————————————–
Total active tunnels: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 4fb2c1cc 2041/ unlim – root
>131073 [LOCAL PEER IP] 500 ESP:aes-128/sha1 3e576ead 2041/ unlim – root
If Phase 2 has completed you can confirm further details on each of the SA`s (Security Associations) by using the SA index.
[email protected]> show security ipsec security-associations index 131073
node1:
————————————————————————–
Virtual-system: root
Local Gateway: [REMOTE PEER IP], Remote Gateway: [LOCAL PEER IP]
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Direction: inbound, SPI: 4fb2c1cc, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 3e576ead, AUX-SPI: 0
, VPN Monitoring: –
Hard lifetime: Expires in 2028 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1448 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
4. IPSEC Statistics
To confirm statistics based on the Phase 2 SA run the following command. The output will contain a number of counters. The most interesting of these (for troubleshooting purposes) are the Encrypted and Decrypted counters.
[email protected]> show security ipsec statistics index 131073
node1:
————————————————————————–
ESP Statistics:
Encrypted bytes: 133593600
Decrypted bytes: 1128704777
Encrypted packets: 923864
Decrypted packets: 1438716
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 1021
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
5. Perform Debug (Traffic)
If Phase 1 and Phase 2 are both establishing but traffic is still not passing the VPN tunnel, a packet-filter traffic debug of the tunnel will provide further granularity into each of the steps the packet takes.
[email protected]> configuration
[email protected]# edit security flow traceoptions
[edit security flow traceoptions]
[email protected]# set file vpn-debug
[email protected]# set flag basic-datapath
[email protected]# set flag packet-drops
[email protected]# set level 15
[email protected]# set packet-filter filter1 source-prefix [LOCAL PEER IP]
[email protected]# set packet-filter filter1 destination-prefix [REMOTE PEER IP]
[email protected]# set packet-filter filter1 protocol esp
[email protected]# set packet-filter filter2 destination-prefix [LOCAL PEER IP]
[email protected]# set packet-filter filter2 source-prefix [REMOTE PEER IP]
[email protected]# set packet-filter filter2 protocol esp
[email protected]# set packet-filter filter3 destination-prefix [INTERNAL SERVER IP]
[email protected]# set packet-filter filter3 destination-port ssh
[email protected]# set packet-filter filter3 protocol tcp
[email protected]# set packet-filter filter4 source-prefix [INTERNAL SERVER IP]
[email protected]# set packet-filter filter4 destination-port ssh
[email protected]# set packet-filter filter4 protocol tcp
[email protected]# run show log vpn-debug
6. Perform Debug (Crypto)
To debug the crypto engine the following commands are run.
[email protected]> configuration
[email protected]# edit security ike traceoptions
[edit security ike traceoptions]
[email protected]# set file vpn-debug-ike
[email protected]# set flag all
[email protected]# set level 15
[email protected]# top
[edit]
[email protected]# edit security ipsec traceoptions
[edit security ipsec traceoptions]
[email protected]# set file vpn-debug-ipsec
[email protected]# set flag all
[email protected]# set level 15
[email protected]# run show log vpn-debug-ike
[email protected]# run show log vpn-debug-ipsec
7. Additional
A useful tip when viewing the debug logs is to tail the file via the shell whilst also removing the empty lines. This a) makes it easier to view and 2) also (as long as your ssh client buffer is configured correctly) allows you to go back over previous output should the debug log reach its maximum size.
[email protected]> start shell
[email protected]% tail -f /var/log/[logfile] | grep -Evi ^$
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial