SSG5 : VPN Site To Site - SA Active - Link Off



  • Hi J friends,

    I got some problem with VPN Site to Site.
    I test it on a lab environment.

    Local LAN 1 : 192.168.11.0/24
    WAN 1 : 200.0.0.1/24

    Local LAN 2 : 192.168.12.0/24
    WAN 2 : 200.0.0.2/24

    WAN 1 and WAN 2, directly connected via UTP Cable.

    So basically i assign the IP to the interface… then i use the wizard.
    *i have allready try manual …

    I check the vpn status… it said that SA Active but the link is off…
    i dont know what does it mean… is it mean that it not running ?

    i test from my LAN 1… it can reach LAN 2, and vice versa.
    i check the routing, it said the default route (0.0.0.0) via tunnel.

    can any one clearify about the statement Link Off ?

    because i get abit curious about this…



  • Hehe, no problem, I’m happy you posted your solution. Anyway, when you had A/D you should check your VPN monitor settings. It seems there were some problems here.



  • yes indeed … 😉 but after the link is active it cames up with A/D … 😉 sorry for being so confusing



  • What “A/D” issue? Your last post was an “I/I” issue… 😄



  • just solved the A/D issue … by confirming these options are set:

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB9522

    now the link is active.



  • You do NAT? Whats the output of “get conf | inc ike” and “get ike cookies”? Does your NAT-device forward the traffic correctly?



  • may i warm up this topic? am i allowed, if not just move it to t 😉

    otherwise i would go ahead i am facing the same issue like my preposter…

    The remote peer “get sa” tells me the follow:

    
    os-> get sa
    total configured sa: 1
    HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
    00000005<  xxx.xxx.xxx.113  500 esp:3des/sha1 405c8d1b  3567 unlim A/U    -1 0
    00000005>  xxx.xxx.xxx.113  500 esp:3des/sha1 35f802da  3567 unlim A/U    -1 0
    
    

    my local “get sa” is like this:

    
    ns5gt-> get sa
    total configured sa: 1
    HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
    00000002<  217.xxx.xxx.19  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
    00000002>  217.xxx.xxx.19  500 esp:3des/sha1 00000000 expir unlim I/I    -1 0
    
    

    the remote untrust interface is looks like that:

    
    os-> get int untrust
    Interface untrust:
      description untrust
      number 1, if_info 88, if_index 0, mode route
      link up, phy-link up/full-duplex
      status change:1, last change:03/20/2011 02:15:11
      vsys Root, zone Untrust, vr trust-vr
      dhcp client disabled
      PPPoE disabled
      admin mtu 1500, operating mtu 1500, default mtu 1500
      *ip 192.168.10.254/24   mac 0014.f691.25c1
      gateway 192.168.10.1
      *manage ip 192.168.10.254, mac 0014.f691.25c1
      route-deny disable
      pmtu-v4 disabled
      ping enabled, telnet disabled, SSH enabled, SNMP disabled
      web enabled, ident-reset disabled, SSL enabled
      DNS Proxy disabled, webauth enabled, g-arp enabled, webauth-ip 0.0.0.0, allow SSL only
      OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
      PIM: not configured  IGMP not configured
      MLD not configured
      NHRP disabled
      bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
                 configured ingress mbw 0kbps, current bw 0kbps
                 total allocated gbw 0kbps
      DHCP-Relay disabled at interface level
      DHCP-server disabled
    
    

    my untrust interface is like this:

    
    ns5gt-> get int untrust
    Interface untrust:
      description untrust
      number 1, if_info 88, if_index 0, mode route
      link up, phy-link up/full-duplex
      status change:1, last change:03/29/2011 23:22:51
      vsys Root, zone Untrust, vr trust-vr
      PPPoE instance untrust enabled
      admin mtu 0, operating mtu 1492, default mtu 1492
      *ip xxx.xxx.xxx.113/32   mac 00??.e???.??51
      gateway xxx.xxx.xxx.7
      *manage ip xxx.xxx.xxx.113, mac 00??.e???.??51
      route-deny disable
      pmtu-v4 disabled
      ping enabled, telnet disabled, SSH disabled, SNMP disabled
      web enabled, ident-reset disabled, SSL disabled
      DNS Proxy disabled, webauth disabled, g-arp enabled, webauth-ip 0.0.0.0
      OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
      PIM: not configured  IGMP not configured
      MLD not configured
      NHRP disabled
      bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
                 configured ingress mbw 0kbps, current bw 0kbps
                 total allocated gbw 0kbps
      DHCP-Relay disabled at interface level
      DHCP-server disabled
    
    

    what i am missing here? any help would be appreciated!!! 😉

    Thanks



  • Nice to know it resolved your query….



  • thanks you very much for your help and explainantion marty…
    you are the best… on this VPN case… 🙂
    once again thanks a lot



  • Your VPn tunnel was already up but you had not enabled the VPN monitor bcoz of which the Link was showing as OFF. Now that you have enabled VPN Monitor so the Link has also come up.

    I could make the out from your get sa output, below are some diiferent get sa ouputs.

    a)      I/I:    VPN tunnel is Inactive

    b)    A/-:  VPN tunnel is Active, and VPN Monitor is not configured >>>>>>>>> Your case.

    c)      A/U: VPN tunnel is Active, and the link (detected thru VPN Monitor) is UP

    d)      A/D: VPN tunnel is Active, but the link (detected thru VPN Monitor) is DOWN. VPN Monitor is not getting a response to its pings.

    The two boxes which I asked you to check do the following: -

    The Rekey option under VPN Monitor is another method of having the Juniper firewall do re-keys when it detects the tunnel is down.  When the VPN Monitor determines that the tunnel is down, the VPN Monitor will initiate a rekey.  This is similar to the IKE heartbeat rekey, with the exception that it uses the VPN Monitor mechanism.

    So now even if the interesting traffic would not pass yout VPN tunnel would not go inactive/down, if you do not want to do that then you can uncheck the re-key option and simply keep the VPN monitor box checked, perhaps that would still show your Link as Active.



  • wow…
    its up now…

    hmm can you help me to explain, what does the button do ? so it can make the link is up ?



  • Thanks for the output, can you confirm whether the VPN Monitor and Rekey is enabled in your VPN configuration ?
    You can check the same in the Advanced Configuation for your VPN. That will be somewhere in the bottom of the page for the Advanced VPN config.

    If they are not enabled please enable/check them and then check the status from GUI.



  • hi marty…
    thanks for responding my topic…
    sorry for the delay… merry x mas… 🙂

    here is the get sa result



  • Can you paste the ‘get sa’ output from your device. Lets see what does it say. So we can check if it is any Cosmetic Bug or something else.

    NetScreen> get sa
    total configured sa: 1
    HEX ID    Gateway Port Algorithm    SPI      Life:sec kb    Sta PID vsys


 

27
Online

38.4k
Users

12.7k
Topics

44.5k
Posts