Troubleshoot IPsec issues

Owned by Jean-luc KRIKER
Last updated: Dec 09, 2018
2 min read

root@vSRX1> show security ike debug-status
Disabled

root@vSRX1> request security ike debug-enable local 1.2.3.21 remote 1.2.3.22

root@vSRX1> show security ike debug-status
Enabled
flag: all
level: 7
Local IP: 1.2.3.21, Remote IP: 1.2.3.22



Mar 20 16:00:00 vSRX1 cron[3289]: (root) CMD ( /usr/libexec/atrun)
Mar 20 16:00:00 vSRX1 cron[3290]: (root) CMD (newsyslog)
Mar 20 16:00:17 vSRX1 kmd[1165]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GW, Local: 1.2.3.21/500, Remote: 1.2.3.21/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 20 16:01:17 vSRX1 kmd[1165]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GW, Local: 1.2.3.21/500, Remote: 1.2.3.21/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 20 16:02:17 vSRX1 kmd[1165]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GW, Local: 1.2.3.21/500, Remote: 1.2.3.21/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 20 16:04:17 vSRX1 last message repeated 2 times
Mar 20 16:05:00 vSRX1 cron[3294]: (root) CMD ( /usr/libexec/atrun)
Mar 20 16:05:17 vSRX1 kmd[1165]: IKE negotiation failed with error: Invalid syntax. IKE Version: 1, VPN: IPSEC-VPN Gateway: IKE-GW, Local: 1.2.3.21/500, Remote: 1.2.3.21/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 21 02:09:16 vSRX1 eventd[955]: SYSTEM_ABNORMAL_SHUTDOWN: System abnormally shut down
Mar 21 02:09:16 vSRX1 eventd[955]: SYSTEM_OPERATIONAL: System is operational
Mar 21 02:09:16 vSRX1 /kernel: Copyright (c) 1996-2015, Juniper Networks, Inc.
Mar 21 02:09:16 vSRX1 /kernel: All rights reserved.


Response: change the remote IP@ in the sec ike gateway

root@vSRX1> show configuration security ike gateway IKE-GW | display set
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 1.2.3.22
set security ike gateway IKE-GW external-interface ge-0/0/0


root@vSRX1> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2101212 UP 767790f7193ba6ca 78bbb3150f022cd2 Main 1.2.3.22


root@vsrx1> show log messages | no-more
. . .
Mar 21 11:18:53 vSRX1 rpd[1160]: EVENT UpDown st0.1 index 69 <Up Broadcast PointToPoint Multicast>
Mar 21 11:18:53 vSRX1 kmd[1166]: KMD_PM_SA_ESTABLISHED: Local gateway: 1.2.3.21, Remote gateway: 1.2.3.22, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xc016fe6c, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Mar 21 11:18:53 vSRX1 mgd[1282]: auto-snapshot is not configured
Mar 21 11:18:53 vSRX1 kmd[1166]: KMD_PM_SA_ESTABLISHED: Local gateway: 1.2.3.21, Remote gateway: 1.2.3.22, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xcc33a2c0, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Mar 21 11:18:53 vSRX1 kmd[1166]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-VPN from 1.2.3.22 is up. Local-ip: 1.2.3.21, gateway name: IKE-GW, vpn name: IPSEC-VPN, tunnel-id: 131073, local tunnel-if: st0.1, remote tunnel-ip: Not-Available, Local IKE-ID: 1.2.3.21, Remote IKE-ID: 1.2.3.22, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Mar 21 11:18:53 vSRX1 mgd[1282]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync begins
Mar 21 11:18:53 vSRX1 mgd[1282]: UI_COMMIT_PROGRESS: Commit operation in progress: ssync ends
Mar 21 11:18:53 vSRX1 mgd[1282]: UI_COMMIT_PROGRESS: Commit operation in progress: commit complete
Mar 21 11:18:53 vSRX1 mib2d[1159]: SNMP_TRAP_LINK_UP: ifIndex 525, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.1