SRX Route Based VPN Issue (packet dropped, pak dropped since re-route failed)

Issue

VPN fails to route traffic through to the tunnel interface when using Route Based VPN upon a SRX platform.

The following is observed :

  • Both Phase 1 and Phase 2 is successfully establishing.
  • Traffic is being received inbound from the Remote Peer and decypted successfully.
  • Multiple VPN policies are assigned to a single tunnel interface.
  • The following error messages appear from packet-filter ouputs.

:CID-2:RT:  reth1.0:10.1.10.2->172.16.1.4, icmp, (0/0)
:CID-2:RT: find flow: table 0x513a9788, hash 38416(0xffff), sa 10.1.10.2, da 172.16.1.4, sp 27686, dp 46842, proto 1, tok 7
:CID-2:RT:  flow got session.
:CID-2:RT:  flow session id 40098
:CID-2:RT:  route lookup failed: dest-ip 172.16.1.4 orig ifp st0.0 output_ifp reth0.0 fto 0x25bc49a0 orig-zone 8 out-zone 6 vsd 0
:CID-2:RT:  packet dropped,   pak dropped since re-route failed

Solution

In order to successfully route traffic via the tunnel interface when using multiple VPN policies (within a Route Based VPN setup) to options are available :

  1. Configuring multiple tunnel interfaces and assigning a single VPN policy to each one.
  2. Configuring the tunnel interface as a multi-point interface. If the remote peer is not a J series or SRX device then a static NHTB entry is required.

This solution summarises the configuration steps for option A.

1. Create Multiple Tunnel Interfaces

set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet

2. Assign Tunnel Interfaces to Zones

set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.1
set security zones security-zone vpn interfaces st0.2

3. Bind Security Policies to Tunnnel Interfaces

set security ipsec vpn ipsec-vpn-policy0 bind-interface st0.0
set security ipsec vpn ipsec-vpn-policy1 bind-interface st0.1
set security ipsec vpn ipsec-vpn-policy2 bind-interface st0.2

4. Create Routes

set routing-options static route 10.0.0.0/24 next-hop st0.0
set routing-options static route 10.1.0.0/24 next-hop st0.1
set routing-options static route 10.2.0.0/24 next-hop st0.2

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial