Sie sind auf Seite 1von 89

e d u c a t io n se rv ic e s c o u rsew a re

SRX SERIES DYNAMIC VPN TROUBLESHOOTING


Student Guide

SRX Series Dynamic VPN Troubleshooting

Slide 1

SRX Series Dynamic VPN Advanced Troubleshooting

2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential

Welcome to Juniper Networks SRX Series Dynamic VPN Advanced Troubleshooting eLearning module.

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 2

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 2

Throughout this module, you will find slides with valuable detailed information. You can stop any slide with the Pause button to study the details. You can also read the notes by using the Notes tab. You can click the Feedback link at anytime to submit suggestions or corrections directly to the Juniper Networks eLearning team.

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 3

Course Objectives
After successfully completing this course, you will be able to:
Discuss feature descriptions of and requirements for the SRX Series Dynamic VPN Describe the recommended configuration Discuss troubleshooting recommendations Describe troubleshooting examples

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 3

After successfully completing this course, you will be able to: Discuss feature descriptions of and requirements for the SRX Series Dynamic VPN Describe the recommended configuration Discuss troubleshooting recommendations, and Describe troubleshooting examples

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 4

Agenda: SRX Series Dynamic VPN Advanced Troubleshooting


Feature Description and Requirements Recommended Configuration Troubleshooting Recommendations Troubleshooting Examples

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 4

This course consists of four sections. The four main sections are provided in sequential order and are titled as follows: Feature Description and Requirements Recommended Configuration Troubleshooting Recommendations, and Troubleshooting Examples

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 5

SRX Series Dynamic VPN Advanced Troubleshooting

Feature Description and Requirements

2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential

Feature Description and Requirements

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 6

Section Objectives
After successfully completing this section, you will be able to:
List JTAC software license and external RADIUS server requirements Describe Microsoft Windows and Vista client support requirements Describe how WebAuth is used to authenticate a user Discuss how Xauth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 6

After successfully completing this section, you will be able to: List JTAC software license and external RADIUS server requirements Describe Microsoft Windows and Vista client support requirements Describe how WebAuth is used to authenticate a user, and Discuss how Xauth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 7

Requirements
JTAC Recommendation: Junos 10.0R3 Platforms Supported (as of Junos 10.1)
SRX100 SRX210 SRX240

License is required to activate Dynamic-VPN (free for up to 2 users)


root@flo> show system license usage Licenses Feature name used idp-sig 0 dynamic-vpn 0 ax411-wlan-ap 0 Licenses installed 1 1 2 Licenses needed 0 0 0 Expiry 2013-01-28 00:00:00 UTC permanent permanent

External RADIUS server for Xauth authentication


2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 7

Requirements The first recommendation from JTAC is to apply the latest version of software. We also need to have a license. In this case, we can have licenses for different numbers of users. If you only have two users, the license is not required and there is no charge. An external RADIUS server for Xauth is required for the authentication, because RADIUS is going to provide the IP address information, net mask, DNS, VNS, and so on.

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 8

Client Requirements
Microsoft Windows XP or Vista Admin rights to install the client, once installed no admin rights required Client side reference: http://www.juniper.net/techpubs/software/junossecurity/junos-security10.1/junos-security-swconfigsecurity/jd0e42056.html#jd0e42056

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 8

Client Requirements There are requirements for the client. The client supports Microsoft Windows XP or Vista. We need the admin rights to install the client, but once its installed, the admin rights are not required. This is a link to the Junos documentation. That includes the client information. Theres a detailed description of all the files that are installed in the client and the associated processes. Its a very good reference covering what is installed in the client.

SERT-SRX01-A

Juniper Networks, Inc.

SRX Series Dynamic VPN Troubleshooting

Slide 9

Feature Description (1 of 2)
1. Point Browser to https://<srx-ip>/dynamic-vpn
Not needed after 1st connection

2. Login using Webauth configured in the SRX 3. Download from SRX the Dynamic VPN client with IKE/IPsec configuration 4. and 5. Authenticate for Xauth 6. Obtain IP address/netmask information from remote authentication (RADIUS) 7. IKE/IPsec SAs are established with SRX and access to protected resources behind SRX is allowed
http://www.juniper.net/techpubs/software/junos-security/junossecurity10.1/junos-security-swconfig-security/frameset.html
2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 9

Feature Description Lets examine how other features work. First, we point our browser to this URL, which is the IP of the SRX interface thats going to receive this connection/dynamic VPN. This is only needed in the first connection, because after that, the client is downloaded. You can start the connection directly from the client. When you point the browser to this URL, you get the login prompt. Use WebAuth, configured in the SRX, to authenticate the user. At this point, the user is authenticated, the SRX will download the dynamic VPN to the client software, and that will contain the IP and IPsec configuration, to establish the tunnel. In steps four and five here, we see the authentication for the Xauth. The VPN tunnel is established with the Xauth. The client obtains the IP address thats going to be used in the client. In the next step, the IP address and net mask information are obtained from the RADIUS. Lastly, the IKE/IPsec security associations are established with the SRX. At this point, the client is able to communicate to the protected resources that are behind the SRX. The link at the bottom is for the documentation regarding dynamic VPN.

SERT-SRX01-A

Juniper Networks, Inc.

10

SRX Series Dynamic VPN Troubleshooting

Slide 10

Feature Description (2 of 2)
PROTECTED RESOURCES Finance

Database Server SRX240 RADIUS

Apps

2. Webauth to SRX User: Password:

5. Xauth to RADIUS User: Password:

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 10

Lets look at the steps that we mentioned in the previous slide. First, we are going to point the browser to the SRX. We get the login prompt. Type the username and password. Itll be authenticated by the SRX and at this point itll start the client download with the VPN configuration. If you already have the client in your system, then it will look for the VPN configuration. It will start establishing the VPN tunnel and will do the Xauth with the help of the RADIUS server. It will again ask for the username and password to get the IP address and the net mask information from the RADIUS server. You can also receive your DNS and VNS. After we receive the information, we can finish the tunnel establishment and have the secure IPsec VPN tunnel between the client and the SRX. We are ready to access the protected resources behind the SRX.

SERT-SRX01-A

Juniper Networks, Inc.

11

SRX Series Dynamic VPN Troubleshooting

Slide 11

Webauth + Client Download Only 1st Connection


Browser Client Management Auth License Wrapper User enters url ----------------> <---------------- Send login cgi User login -----------------> Invoke auth ----------------------> Verify credentials <---------ok---------Check license ---------------------------------------------------> <------------------------ok------------------------Generate token <------------------------- Send setup + init_params + client config (including token and IKE_ID) Setup junos filesys Download client -----------------> <-----------------Start client

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 11

This shows you more detail for all these steps. We are looking at the first connection when we use the browser. We see a step-by-step process. We enter the URL. The client management in the SRX will give back the prompt after typing the username and password. The information is sent to the Auth authentication process to do the authentication of this user. After the user is identified, we need to check the license to see if it is present or ready to be accepted. At this point, the user is identified and the license confirmed. Then a token is generated with the initial parameters and the configuration that the client needs to use. It is sent to the client. The client will download the Juniper Access Manager software to start the VPN tunnel.

SERT-SRX01-A

Juniper Networks, Inc.

12

SRX Series Dynamic VPN Troubleshooting

Slide 12

Authentication and VPN Configuration 1st and Nth Connection


Client Client Management Authd Client starts automatically (1st conn) or User double click on client (Nth conn) Send token ------------------------------------------If token is null or invalid, <-------------------------------------------- send auth-type Send username$passwd/RSA --------------------> authenticate user ------------------> <------ok-------<-------------------------------------------- send init params + client VPN config Prompt for username$passwd/RSA for XAuth

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 12

This is authentication and VPN configuration. Its not only for the first connection, but for any connection. In this case, we already have the client installed. The client will start automatically, if its the first connection. If its not the first connection, then you can double-click on the client and start the connection. At this point, the client will send a token to the client manager in the SRX device. This is how the client manager will identify the user. If there is any chance the token is not new, or invalid, then the client will have to re-authenticate. We see here that the client sends the username and password again. With the help of the authentication daemon, the authentication is done. Then using the initial parameters, the VPN configuration is sent again to the client. The client is ready to initiate the VPN tunnel negotiation, the IKE negotiation. It starts the Xauth.

SERT-SRX01-A

Juniper Networks, Inc.

13

SRX Series Dynamic VPN Troubleshooting

Slide 13

Tunnel Establishment 1st and Nth Connection


Client Enters IKE phase Send username$psswd/RSA + IKE_ID -------------------------------> Starts Xauth -------------------> <-----ok----------<------------------------------- Send IP/mask settings Creates IKE/IPsec SA Notify Conn. Manager ---------- Checks SA Gets license Creates CIB entry IKE Authd Connection Mgr

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 13

This shows tunnel establishment for any connection. We are already in the IKE phase, so now we do the Xauth. So the parameters, username and password, are sent to the IKE. The IKE process in the SRX will do the Xauth with the help of the authentication daemon. At this point, this Xauth is done with the help of the RADIUS server to provide the IP mask settings. They are sent to the client, so the client can finish the creation of the IKE and IPsec security associations. At this point, the IKE process will communicate to the client manager to confirm that the security associations are correct, confirm the license is correct, and create the client information based entry, to have the client registered properly in the client management database.

SERT-SRX01-A

Juniper Networks, Inc.

14

SRX Series Dynamic VPN Troubleshooting

Slide 14

Section Summary
In this section, we:
Listed JTAC software license and external RADIUS server requirements Described Microsoft Windows and Vista client support requirements Described how WebAuth is used to authenticate a user Discussed how XAuth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 14

In this section, we: Listed JTAC software license and external RADIUS server requirements Described Microsoft Windows and Vista client support requirements Described how WebAuth is used to authenticate a user, and Discussed how XAuth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX

SERT-SRX01-A

Juniper Networks, Inc.

15

SRX Series Dynamic VPN Troubleshooting

Slide 15

Learning Activity 1: Question 1


A license is required to activate Dynamic-VPN for:
a) Any numbers of users b) More than 5 users c) More than 2 users d) None of the above

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 15

SERT-SRX01-A

Juniper Networks, Inc.

16

SRX Series Dynamic VPN Troubleshooting

Slide 16

Learning Activity 1: Question 2


To install the client you must have administrative rights.
a) True b) False

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 16

SERT-SRX01-A

Juniper Networks, Inc.

17

SRX Series Dynamic VPN Troubleshooting

Slide 17

SRX Series Dynamic VPN Advanced Troubleshooting

Recommended Configuration

2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential

Recommended Configuration

SERT-SRX01-A

Juniper Networks, Inc.

18

SRX Series Dynamic VPN Troubleshooting

Slide 18

Section Objectives
After successfully completing this section, you will be able to:
List the 7 configuration steps that are implemented to facilitate client use Describe how to perform each of these steps

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 18

After successfully completing this section, you will be able to: List the 7 steps that are implemented to facilitate client use, and Describe how to perform each of these steps

SERT-SRX01-A

Juniper Networks, Inc.

19

SRX Series Dynamic VPN Troubleshooting

Slide 19

Seven Steps
1. Access configuration 2. HTTPS configuration 3. IKE configuration 4. IPsec configuration 5. Dynamic VPN configuration 6. Policy Configuration 7. Routing / Proxy-ARP
PROTECTED RESOURCES Finance 2.2.2.0/24 172.30.73.206

Database Server SRX240

Apps

RADIUS

4.4.4.112/24

1.1.1.18/24

TN7 Configuring Dynamic VPN (Remote Access VPN Client)


2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 19

We use these seven steps to make everything easy for the client. Once we have this configured in the SRX, the client tries to connect. Its going to be totally transparent for the client. First we do access configuration. How do we make the authentication? Then we need to enable HTTPS access to the SRX, because we are accessing our URL using this service. Then we need to configure the VPN for IP and IPsec. After that, we do the dynamic VPN configuration. We are going to link all this information together. Then we have to set policy, because if we want to allow traffic through the SRX, we always need policies. Lastly, we need to configure routing or proxy ARP, depending on the case. On the bottom of the slide we have our Knowledge Base, Technote 7: Configuring Dynamic VPN.

SERT-SRX01-A

Juniper Networks, Inc.

20

SRX Series Dynamic VPN Troubleshooting

Slide 20

Access Profile
One access profile using RADIUS for both webauth and xauth
root@flo> show configuration access profile radius-auth { authentication-order radius; radius-server { 172.30.73.206 secret "$9$LES7dsaZjP5F245Fn/0OX7-"; ## SECRET-DATA } } firewall-authentication { web-authentication { default-profile radius-auth; } }

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 20

First, we will look at the access profile. In order to authenticate the users, we need to have webauth and a RADIUS server configured to do the xauth. In this case, we are going to use the RADIUS server for both authentications. When we do the authentication via the webauth, we are going to check with RADIUS as well. We dont need to have different users configured. We use the RADIUS for everything. We define a profile for the RADIUS and its very simple. We mention the authentication order, the IP address, and the secret. For the web authentication, we specify that the profile is the RADIUS profile that we just defined.

SERT-SRX01-A

Juniper Networks, Inc.

21

SRX Series Dynamic VPN Troubleshooting

Slide 21

HTTPS Configuration
Enable HTTPS Service
Remember to enable host-inbound-traffic system-services as well

Use system-generated certificate


root@flo> show configuration system services ssh; telnet; web-management { traceoptions { file https-debug size 1m files 2; level all; flag all; } https { system-generated-certificate; } }

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 21

For HTTPS, we are going to receive requests on this service. We need to enable, in the system services, web management HTTPS. We dont need to specify any interface, but in the zone configuration, we need to allow the host inbound traffic to permit HTTPS.

SERT-SRX01-A

Juniper Networks, Inc.

22

SRX Series Dynamic VPN Troubleshooting

Slide 22

IKE Configuration
Define IKE configuration
IKE proposal IKE mode Pre-shared keys
root@flo> show configuration security ike traceoptions { file ike-debug size 1m files 2; flag all; } proposal phase1-prop { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-pol { mode aggressive; proposals phase1-prop; pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn"; ## SECRET-DATA } gateway dyn-vpn { ike-policy ike-pol; dynamic hostname first-user-host; external-interface ge-0/0/1.0; xauth access-profile radius-auth; } gateway dyn-vpn-second { ike-policy ike-pol; dynamic hostname second-user-host; external-interface ge-0/0/1.0; xauth access-profile radius-auth; }

One gateway for each user


Hostname as IKE-ID Associate with Xauth Profile which is the access profile defined in step 1. External interface should be in inet.0 with IP address and assigned to the correct zone, which should allow IKE hostinbound system-service
2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 22

The third step is VPN configuration. We need to define the IKE configuration, and it has to be one gateway for each user. We can see the configuration. We create a proposal that is using pre-shared-keys. In the policy we need to use aggressive mode and in the gateway were going to use dynamic host names. This is going to be the IKE ID that will be passed to the client. We also need to specify the access profile for the xauth and this RADIUS auth is what we defined in step one. This second gateway is the same but for a different user. The external interface that we used for VPN tunnel has to be in the inet.0 routing table, with the IP address assigned to the correct zone from the base configuration. We need to configure the IKE host inbound system service to allow the IKE packets to be received by the SRX.

SERT-SRX01-A

Juniper Networks, Inc.

23

SRX Series Dynamic VPN Troubleshooting

Slide 23

IPsec Configuration
Define IPsec configuration
IPsec proposal PFS mandatory
root@flo> show configuration security ipsec traceoptions { flag all; } proposal phase2-prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy ipsec-pol { perfect-forward-secrecy { keys group5; } proposals phase2-prop; } vpn vpn-first-user { ike { gateway dyn-vpn; ipsec-policy ipsec-pol; } } vpn vpn-second-user { ike { gateway dyn-vpn-second; ipsec-policy ipsec-pol; } }

One VPN for each user

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 23

We define the IPsec VPN. First we define a proposal, then a policy. In the policy, we must use perfect-forwardsecrecy. This is required. We define a VPN for each user. We are going to reference each user based on the gateway, because we had one gateway for each user. Here we have one VPN for each user.

SERT-SRX01-A

Juniper Networks, Inc.

24

SRX Series Dynamic VPN Troubleshooting

Slide 24

Dynamic VPN Configuration


Bind to access-profile defined in step 1 Define Clients
Protected Resources Networks not tunneled
remote-exceptions
root@flo> show configuration security dynamic-vpn access-profile radius-auth; clients { first-user { remote-protected-resources { 2.2.2.0/24; } remote-exceptions { 172.0.0.0/8; 5.5.5.0/24; } ipsec-vpn vpn-first-user; user { first-user; } } second-user { remote-protected-resources { 2.2.2.0/24; } remote-exceptions { 172.0.0.0/8; } ipsec-vpn vpn-second-user; user { second-user; } } }

Bind to VPN defined in step 4 Bind to user


must match RADIUS

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 24

Next, we configure the dynamic VPN configuration. Its where we are going to link this together. There are two steps. First, we specify the access profile, which is the RADIUS profile. Then we define clients for all the users that are going to connect. For each user, we specify the protected resources the networks behind the SRX that are going to be accessed by this client. Remote exceptions are configured for the networks that the client doesnt want to send via the tunnel. These two destinations will not be sent via the tunnel. Then we use the VPN that was specified in the previous step. We define the username. This username must match what is defined in the RADIUS server. This is passed to the RADIUS, so that it can be authenticated. On the bottom of the slide is a configuration for a second user as an example.

SERT-SRX01-A

Juniper Networks, Inc.

25

SRX Series Dynamic VPN Troubleshooting

Slide 25

Security Policy Configuration


Bind firewall policy to a tunnel
Action tunnel using VPN defined in step 4. One policy for each user
root@flo> show configuration security policies from-zone untrust to-zone trust { policy vpn-first-user { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn vpn-first-user; } } log { session-init; session-close; } } }

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 25

The next step is the security policy. If we want to allow traffic from one zone to the other, we need to specify the policy. Here, its from zone untrust to zone trust. We define the policy for source address, destination address, and application as any. We put the tunnel action in the permit and then specify the VPN for the user. We need to configure a policy for each user, because each user will use different VPNs. We need a policy for each user.

SERT-SRX01-A

Juniper Networks, Inc.

26

SRX Series Dynamic VPN Troubleshooting

Slide 26

Proxy ARP / Routing Configuration


If IP address assigned to client is on the same subnet of the protected resources, proxy ARP is required on the interface facing the protected resources
root@flo> show configuration security nat proxy-arp { interface fe-0/0/5.0 { address { 2.2.2.200/32 to 2.2.2.250/32; } } }

If IP not in the same subnet, then routing is required

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 26

The last step is the proxy ARP and routing configuration. Basically, we have two cases. If the IP address assigned to the client is on the same subnet of the protected resources, we need to have proxy ARP configured in the SRX, in the interface thats facing the protected resource. This is because the protected resource will think that the client in the same subnet will send an ARP request at the IP address and the firewall has to respond on behalf of the client. If the IP is not in the same subnet, then we need to have routing as usual.

SERT-SRX01-A

Juniper Networks, Inc.

27

SRX Series Dynamic VPN Troubleshooting

Slide 27

Section Summary
In this section, we:
Listed the 7 configuration steps that are implemented to facilitate client use Described how to perform each of these steps

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 27

In this section, we: Listed the 7 steps that are implemented to facilitate client use, and Described how to perform each of these steps

SERT-SRX01-A

Juniper Networks, Inc.

28

SRX Series Dynamic VPN Troubleshooting

Slide 28

Learning Activity 2: Question 1


The Knowledge Base reference for the 7 steps involved in Configuring Dynamic VPN is Technote 5 (TN5).
a) True b) False

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 28

SERT-SRX01-A

Juniper Networks, Inc.

29

SRX Series Dynamic VPN Troubleshooting

Slide 29

Learning Activity 2: Question 2


When setting up the Dynamic VPN configuration, the access profile is the RADIUS profile.
a) True b) False

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 29

SERT-SRX01-A

Juniper Networks, Inc.

30

SRX Series Dynamic VPN Troubleshooting

Slide 30

SRX Series Dynamic VPN Advanced Troubleshooting

Troubleshooting Recommendations

2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential

Troubleshooting Recommendations

SERT-SRX01-A

Juniper Networks, Inc.

31

SRX Series Dynamic VPN Troubleshooting

Slide 31

Section Objectives
After successfully completing this section, you will be able to:
List the major commands that are used in SRX, VPN-related troubleshooting Discuss the 4 types of traceoptions that are used in the troubleshooting process Describe the use of the show log command Describe the use of the Juniper Access Manager client for troubleshooting Describe the available client-side command line capabilities

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 31

After successfully completing this section, you will be able to: List the major commands that are used in SRX, VPN-related troubleshooting Discuss the 4 types of traceoptions that are used in the troubleshooting process Describe the use of the show log command Describe the use of the Juniper Access Manager client for troubleshooting, and Describe the available client-side command line capabilities

SERT-SRX01-A

Juniper Networks, Inc.

32

SRX Series Dynamic VPN Troubleshooting

Slide 32

Troubleshooting Recommendations (1 of 3)
Commands
show security dynamic-vpn users show security dynamic-vpn client version file list /var/db/dynamic-vpn-ipsec/ file show /var/db/dynamic-vpn-ipsec/tokens-info show security ike security-associations show security ike security-associations index <number> detail show security ipsec security-associations show security ipsec security-associations index <number> detail show security ipsec statistics index <number> show security policies from-zone <name> to-zone <name> policy <name> detail show security flow session show security flow session session-identifier <number>
CONFIDENTIAL
SERT-SRX01-A www.juniper.net | 32

2010 Juniper Networks, Inc. All rights reserved.

We need to look at several things. First, we look at dynamic VPN. Then we can check some files that have information about the users. We can check VPN-related commands, policy, and flows. We confirm its working and check how the flows are going through the SRX.

SERT-SRX01-A

Juniper Networks, Inc.

33

SRX Series Dynamic VPN Troubleshooting

Slide 33

Troubleshooting Recommendations (2 of 3)
Traceoptions
set system services web-management traceoptions file https-debug set system services web-management traceoptions level all set system services web-management traceoptions flag all set system processes general-authentication-service traceoptions file auth-debug set system processes general-authentication-service traceoptions flag all set security ike traceoptions file ike-debug set security ike traceoptions flag all set security ipsec traceoptions flag all set security flow traceoptions file flow-debug set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter dyn-vpn-filter source-prefix 18.18.18.0/24

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 33

Lets look at four different traceoptions. One is for the client management, the dynamic VPN feature. Then second one is for the authentication. If we are having problems authenticating the user, we do these traceoptions. If we are having problems with VPN tunnel establishment, we set the IKE traceoptions. If we are having problems with the flows, we configure flow traceoptions. For each of them, we can create the file for it so we know exactly where the output will go. We can also leave it as default, and it will go to the default file.

SERT-SRX01-A

Juniper Networks, Inc.

34

SRX Series Dynamic VPN Troubleshooting

Slide 34

Troubleshooting Recommendations (3 of 3)
Logs
show log https-debug show log auth-debug show log ike-debug show log flow-debug

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 34

We can enter show log with the filename to check the output.

SERT-SRX01-A

Juniper Networks, Inc.

35

SRX Series Dynamic VPN Troubleshooting

Slide 35

Client Side (1 of 4)
From Juniper Access Manager client:
Right click on the connection and select Status to see the error messages

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 35

On the client side, we have the Juniper Access Manager open. We right-click the connection and select status to see the connection result. If there is any problem here, we can use this message.

SERT-SRX01-A

Juniper Networks, Inc.

36

SRX Series Dynamic VPN Troubleshooting

Slide 36

Client Side (2 of 4)
From Juniper Access Manager client:
Enable detailed logging Reproduce the issue Save logs and diagnostics File debuglog.log contains the debug messages

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 36

More detailed information can also be obtained. We select File, then Enable Detailed Login. We can try and reproduce the problem and then select File, Save Logs and Diagnostics to create a zip file with a lot of information. The most important file is debuglog.log, because thats where the debug messages are.

SERT-SRX01-A

Juniper Networks, Inc.

37

SRX Series Dynamic VPN Troubleshooting

Slide 37

Client Side (3 of 4)
Start -> Run -> cmd
ipconfig /all shows the virtual adapter

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 37

Also, we can check ipconfig/all on the client side. We can see that the virtual adapter was created.

SERT-SRX01-A

Juniper Networks, Inc.

38

SRX Series Dynamic VPN Troubleshooting

Slide 38

Client Side (4 of 4)
Start -> Run -> cmd
route print

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 38

We can also use the command route print from the command line. We can see the networks that are protected, the ones that are exceptions, and the virtual adapter itself. This is the virtual adapter in this case, 18.18.18.200. This 2.2.2.0 is the protected resource, according to the configuration we just saw. This 5.5.5.0 is one of those that we configured as an exception. You can see here the gateway is not the virtual adapter. The gateway is a different gateway. In this case, this destination will not be encrypted.

SERT-SRX01-A

Juniper Networks, Inc.

39

SRX Series Dynamic VPN Troubleshooting

Slide 39

Section Summary
In this section, we:
Listed the major commands that are used in SRX, VPNrelated troubleshooting Discussed the 4 types of traceoptions that are used in the troubleshooting process Described the use of the show log command Described the use of the Juniper Access Manager client for troubleshooting Described the available client-side command line capabilities

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 39

In this section, we: Listed the major commands that are used in SRX, VPN-related troubleshooting Discussed the 4 types of traceoptions that are used in the troubleshooting process Described the use of the show log command Described the use of the Juniper Access Manager client for troubleshooting, and Described the available client-side command line capabilities

SERT-SRX01-A

Juniper Networks, Inc.

40

SRX Series Dynamic VPN Troubleshooting

Slide 40

Learning Activity 3: Question 1


The 4 different traceoptions that are used in the troubleshooting process cover client management, authentication, IKE and policy management.
a) True b) False

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 40

SERT-SRX01-A

Juniper Networks, Inc.

41

SRX Series Dynamic VPN Troubleshooting

Slide 41

Learning Activity 3: Question 2


The show log command is used with a (an) ________ to check the output.
a) Filename b) Secondary Command c) Identifier d) Target

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 41

SERT-SRX01-A

Juniper Networks, Inc.

42

SRX Series Dynamic VPN Troubleshooting

Slide 42

SRX Series Dynamic VPN Advanced Troubleshooting

Troubleshooting Examples

2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential

Troubleshooting Examples

SERT-SRX01-A

Juniper Networks, Inc.

43

SRX Series Dynamic VPN Troubleshooting

Slide 43

Section Objectives
After successfully completing this section, you will be able to:
Describe the use of different categories of show commands in the troubleshooting process Describe the use of the various traceoptions in solving Dynamic VPN problems

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 43

After successfully completing this section, you will be able to: Describe the use of different categories of show commands in the troubleshooting process, and Describe the use of the various traceoptions in solving Dynamic VPN problems

SERT-SRX01-A

Juniper Networks, Inc.

44

SRX Series Dynamic VPN Troubleshooting

Slide 44

Successful Connection 1st Connection (1 of 5)


Authentication file auth-debug
Authentication via RADIUS is successful
root@flo> show log auth-debug Mar 24 15:45:21 Auth-FSM: Process Auth-Request for session-id:9241386456839619719 () Mar 24 15:45:21 authd_radius_start_auth: Starting RADIUS authentication Mar 24 15:45:21 authd_radius_build_basic_auth_request: got params profile=radius-auth, username=first-user () Mar 24 15:45:21 RADIUS server 172.30.73.206:1812 was used for last request Mar 24 15:45:21 RADIUS result is CLIENT_REQ_STATUS_SUCCESS () Mar 24 15:45:21 Framework - module(radius) return: SUCCESS

1st Connection using browser:


One time for webauth to download client Second time to download VPN configuration Third time to execute xauth and obtain IP address/netmask

Nth Connection using client:


If token not present, need to auth to download VPN config Xauth to obtain IP address/netmask)
2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 44

Looking at a successful connection, we want to show, as a reference, what is expected when it is a working scenario. First, were going to check the authentication. This is from the authentication traceoptions. We enter a show log authdebug command and look for the return response from the RADIUS. We see Client Request Status Success and then return success. This is successful authentication. If its the first connection, were going to use the browser. We need to do one authentication using the login prompt we get in the browser to download the client. Then when the client starts, it will request a second authentication to download the VPN configuration. Once the VPN configuration is there itll start the tunnel negotiation, the IKE. At this point, we need to re-authenticate a third time for the xauth to obtain the IP address. If its any connection and we already have the client, the client will pass the token to the SRX. In this case it should need only the authentication for the xauth, so you authenticate only once. If the token is not present or its invalid, then we need to do authentication again to download the VPN configuration. It will re-authenticate to download the latest VPN configuration and then it will establish the tunnel and do the xauth.

SERT-SRX01-A

Juniper Networks, Inc.

45

SRX Series Dynamic VPN Troubleshooting

Slide 45

Successful Connection 1st Connection (2 of 5)


Webauth/Dynamic-VPN file https-debug (1)
Mar 24 (...) Mar 24 (...) Mar 24 (...) Mar 24 15:45:21 httpd gk sending ACADIA LOGIN request for username (first-user) ip (1.1.1.18) 15:45:21 acadia_authenticate_user: username = first-user, token = , client_identifier = 15:45:21 acadia_fwauthd_authenticate: sending auth request to fwauthd for IP 1010112 15:45:21 acadia_authenticate_user: fwauthd succeeded

Mar 24 15:45:21 get_client_config: First connection for user first-user at IP 1.1.1.18 Mar 24 (...) Mar 24 socket Mar 24 15:45:21 get_client_config: Got a vpn config for username = first-user 15:45:21 prepare_client_config: License check request sent with token_idx 0, ike-id first-user-host, 14, gk type 3. 15:45:21 acadia_authenticate_user: return code from get_client_config: 4

Mar 24 15:45:21 acadia_authenticate_user: license response pending (...) Mar 24 15:45:21 ACADIA LOGIN request received for username (first-user) ip (1.1.1.18): Success - License available Mar 24 15:45:21 Token table (...) Mar 24 15:45:21 print_token_tbl: Contents of token table: Mar 24 15:45:21 (token: 4aa039d2bf3edf504de7e81aa58acd04, username: first-user, src_ip: 1.1.1.18, saved_src_ip: 1.1.1.18, ike-id: first-user-host, ipsec_vpn: vpn-first-user, index: 0, cib_state: 1, clientid: NULL, timestamp: Wed Mar 24 15:45:21 2010)

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 45

Lets now look at the traceoptions for the dynamic VPN management, the client management. Lets go through the output. We get the request from the client to connect and then we have a username. At this point there is no token. This is going to mean we have a first connection. The user is authenticated. You see here fwauthd succeeded and it is a first connection. We look at the configuration for this user and do a license check. We see Success License Available. Then we create the token. At this point the client will be downloaded.

SERT-SRX01-A

Juniper Networks, Inc.

46

SRX Series Dynamic VPN Troubleshooting

Slide 46

Successful Connection 1st Connection (3 of 5)


Webauth/Dynamic-VPN file https-debug (2)
(...) (after client installed) Mar 24 15:58:43 httpd gk sending ACADIA LOGIN request for username (first-user) ip (1.1.1.18) (...) Mar 24 15:58:43 acadia_authenticate_user: username = first-user, token = , client_identifier = 90c5bfaa69e0debdf84ca5e4ddfc223441884a86 (...) Mar 24 15:58:43 acadia_fwauthd_authenticate: sending auth request to fwauthd for IP 1010112 (...) Mar 24 15:58:43 acadia_authenticate_user: fwauthd succeeded (...) Mar 24 15:58:43 get_client_config: Got a vpn config for username = first-user Mar 24 15:58:43 print_token_tbl: Contents of token table: Mar 24 15:58:43 (token: 4aa039d2bf3edf504de7e81aa58acd04, username: first-user, src_ip: 1.1.1.18, saved_src_ip: 1.1.1.18, ike-id: first-user-host, ipsec_vpn: vpn-first-user, index: 0, cib_state: 1, clientid: 90c5bfaa69e0debdf84ca5e4ddfc223441884a86, timestamp: Wed Mar 24 15:45:21 2010) (...) Mar 24 15:58:43 acadia_authenticate_user: config ok or license ok (...)

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 46

After the client is installed, the client will request the connection again. The token is not present. We have a client identifier, but the token is still not present. We need to do authentication again with webauth. Once it succeeds, we have the token and the license, so its fine for the client to start VPN negotiation.

SERT-SRX01-A

Juniper Networks, Inc.

47

SRX Series Dynamic VPN Troubleshooting

Slide 47

Successful Connection 1st Connection (4 of 5)


Webauth/Dynamic-VPN file https-debug (3)
(...) Mar 24 15:58:54 find_acadia_cib_by_user: Searching CIB info for user: first-user Mar 24 15:58:54 find_acadia_cib_by_user: Could not find cinfo for user: first-user Mar 24 15:58:54 First connection. Need to obtain license. (...) Mar 24 15:58:54 sas_lic_get_rx--Rx SMF_MSG_TYPE_LIC_GET resp, status=0 (...) Mar 24 15:58:54 link_cib_info: getting vpn config for user first-user (...) Mar 24 15:58:55 write_client_config: Wrote XML file /var/db/dynamic-vpn-ipsec/first-user90c5bfaa69e0debdf84ca5e4ddfc223441884a86-vpn-config.xml. Mar 24 15:58:56 link_cib_info: Created CIB entry for user first-user with IKE ID first-user-host Mar 24 Mar 24 (...) Mar 24 Mar 24 Mar 24 15:58:56 find_acadia_cib_by_user: Searching CIB info for user: first-user 15:58:56 find_acadia_cib_by_user: Found cinfo for user: first-user 15:58:56 print_acadia_cib_hash_tbl: list for bucket 200: 15:58:56 (user first-user, connection_count 1) 15:58:56 (ike-gateway dyn-vpn, ike-id first-user-host, refCount 1)

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 47

Check that the client is now confirming the configuration. We can see that the configuration is saved in a file. The client manager creates an entry for this user and confirms that the user is in the database and that it is connected. You see connection count is one to confirm the user is properly connected.

SERT-SRX01-A

Juniper Networks, Inc.

48

SRX Series Dynamic VPN Troubleshooting

Slide 48

Successful Connection 1st Connection (5 of 5)


IKE/IPsec file ike-debug
Mar 24 15:58:48 ike_get_sa: Start, SA = { c414af0e 61789c55 - 00000000 00000000 } / 00000000, remote = 1.1.1.18:1196 () Mar 24 15:58:48 The remote server at 1.1.1.18:1196 is 'JNPR IPsec Client () Mar 24 15:58:49 Phase-1 [responder] done for local=ipv4(udp:0,[0..3]=4.4.4.112) remote=fqdn(udp:0,[0..14]=first-user-host) () Mar 24 15:58:54 Successful Phase-2 remote access sa_cfg lookup: INSTANCE-vpn-first-user_0002_0005_0000 with p1_remote=fqdn(udp:0,[0..14]=first-user-host) () Mar 24 15:58:54 ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2 Mar 24 15:58:54 4.4.4.112:500 (Responder) <-> 1.1.1.18:1196 { c414af0e 61789c55 - fece9cfb ca36abc7 [4] / 0x4dd36e0d } QM; MESSAGE: SA[0][0] = ESP 3des, life = 500000 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 0, key rounds = 0 Mar 24 15:58:54 ike_qm_call_callback: MESSAGE: SA[0][0] = ESP 3des, life = 500000 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 0, key rounds = 0 Mar 24 15:58:54 In iked_sa_config_install Adding GENCFG msg with key; Tunnel = 2, SPI-In = 0 () Mar 24 15:58:54 Successfully added ipsec SA PAIR

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 48

Now we want to check how the IKE negotiation is done and how the VPN tunnel is established. We can also check that with the IKE traceoptions. If we go through the output, you can see the first packet is received by the SRX to start the IKE negotiations and the client is identified as a Juniper IPsec client. We can see that the phase 1 is finished. We go to phase 2 and we can see the messages Successful Phase 2 and Phase 2 Connection Succeeded. Here you can see the details of the security association, what algorithms are used, lifetime, group, and the type of tunnel or transport. In the end, you get the Successfully added ipsec security association PAIR message to confirm. Now we go to the Show commands.

SERT-SRX01-A

Juniper Networks, Inc.

49

SRX Series Dynamic VPN Troubleshooting

Slide 49

Show Security Dynamic-vpn


Check users connected and client version
root@flo> show security dynamic-vpn users User: first-user , Number of connections: 1 Remote IP: 1.1.1.18 IPsec VPN: vpn-first-user IKE gateway: dyn-vpn IKE ID : first-user-host Status: CONNECTED root@flo> show security dynamic-vpn client version Juniper Access Manager version: 1.1.0.5783

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 49

In the show commands we can get very useful information. First, for the dynamic VPN, we see the users. We can see the details of the user and the status, which is most important. We can also check which version is being used. In this case, it is 1.1.0.5783.

SERT-SRX01-A

Juniper Networks, Inc.

50

SRX Series Dynamic VPN Troubleshooting

Slide 50

File Show / list


Check if the token information is correct
root@flo> file show /var/db/dynamic-vpn-ipsec/tokens-info token="29b3ddba2e364363553e2fc14923ae76" username="first-user" tunnel_id="2" ike_id="first-userhost" ipsec_vpn="vpn-first-user" cib_state="2" src_ip="1.1.1.18" saved_src_ip="1.1.1.18" client_identifier="90c5bfaa69e0debdf84ca5e4ddfc223441884a86" time_created="1269894596

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 50

We can also do the commands file show or file list. We can see the contents of the tokensinfo file. This is the file that contains the tokens for each user.

SERT-SRX01-A

Juniper Networks, Inc.

51

SRX Series Dynamic VPN Troubleshooting

Slide 51

Show Security IKE Security-associations


Check that IKE SAs are up
root@flo> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie 19 1.1.1.18 UP 017ef8c64cba11a6 1a3249baa3ddd71b Mode Aggressive

root@flo> show security ike security-associations index 19 detail IKE peer 1.1.1.18, Index 19, Role: Responder, State: UP Initiator cookie: 017ef8c64cba11a6, Responder cookie: 1a3249baa3ddd71b Exchange type: Aggressive, Authentication method: Pre shared keys with XAuth (initiator) Local: 4.4.4.112:500, Remote: 1.1.1.18:1839 Lifetime: Expires in 622 seconds Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 42521 Output bytes : 43680 Input packets: 490 Output packets: 493 Flags: Caller notification sent IPsec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 51

Next, we check the VPN-related commands. We see the IKE security associations. We can see that its up. We see the details, for example, aggressive mode. If we select the index and the detail option, then we can see all the information. The role here should be always responder because its the client who always initiates the connection. We see the details of the security association. For example, we see Aggressive mode, Pre-shared keys with Xauth, and the IKE packet statistics.

SERT-SRX01-A

Juniper Networks, Inc.

52

SRX Series Dynamic VPN Troubleshooting

Slide 52

Show Security IPsec Security-associations


Check that IPsec SAs are up
root@flo> show security ipsec security-associations Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 1.1.1.18 500 ESP:3des/sha1 64e3a78e 28613/ 449985 0 >2 1.1.1.18 500 ESP:3des/sha1 aa766a71 28613/ 449985 0 root@flo> show security ipsec security-associations index 2 detail Virtual-system: Root Local Gateway: 4.4.4.112, Remote Gateway: 1.1.1.18 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Policy-name: vpn-first-user Direction: inbound, SPI: 64e3a78e, AUX-SPI: 0 , VPN Monitoring: Hard lifetime: Expires in 28605 seconds Lifesize Remaining: 449984 kilobytes Soft lifetime: Expires in 28013 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: aa766a71, AUX-SPI: 0 , VPN Monitoring: Hard lifetime: Expires in 28605 seconds Lifesize Remaining: 449984 kilobytes Soft lifetime: Expires in 28013 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 52

For VPN checks, we use IPsec. This is the phase 2 SA. Using this, we can confirm that the tunnel is up. We have the tunnel ID, the remote gateway, algorithms, SPI numbers, and lifetime. It is Important here to check the policy thats being used with this VPN. We can see the correct policy is being used for this tunnel. And we have the information for each direction.

SERT-SRX01-A

Juniper Networks, Inc.

53

SRX Series Dynamic VPN Troubleshooting

Slide 53

Show Security IPsec Statistics


Check statistics for traffic flow through the VPN
root@flo> show security ipsec statistics index 2 ESP Statistics: Encrypted bytes: 12880 Decrypted bytes: 6900 Encrypted packets: 115 Decrypted packets: 115 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 53

There is another command that we can use ipsec statistics. This is very useful if we want to see how traffic is flowing through the tunnel. We can see encrypted and decrypted traffic coming in or going out of the tunnel.

SERT-SRX01-A

Juniper Networks, Inc.

54

SRX Series Dynamic VPN Troubleshooting

Slide 54

Show Security Policies From-zone # To-zone # Policy # Detail


Check policy statistics (if count enabled in the security policy)
root@flo> show security policies from-zone untrust to-zone trust policy-name vpn-first-user detail Policy: vpn-first-user, action-type: permit, State: enabled, Index: 4 Policy Type: Configured Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Tunnel: vpn-first-user, Type: IPsec, Index: 2 Session log: at-create, at-close Policy statistics: Input bytes : 360 11 bps Output bytes : 180 5 bps Input packets : 6 0 pps Output packets : 3 0 pps Session rate : 3 0 sps Active sessions : 3 Session deletions: 0 Policy lookups : 8

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 54

Lets look at the policy commands. Here we show you the show security policies command. If you have the count option enabled in the policy, we can have statistics for the session creation and the number of active sessions for that policy as well as the input-output packets. This can help to check the flows. We can also confirm the VPN thats related to this policy, the type, and the tunneling index. Here we see tunnel number 2.

SERT-SRX01-A

Juniper Networks, Inc.

55

SRX Series Dynamic VPN Troubleshooting

Slide 55

Show Security Flow Session Tunnel


Check the tunnel sessions were created for the VPN tunnel
root@flo> show security flow session tunnel Session ID: 6924, Policy name: N/A, Timeout: N/A In: 1.1.1.18/21174 --> 4.4.4.112/40106;esp, If: ge-0/0/1.0 root@flo> show security flow session session-identifier 6924 Session ID: 6924, Status: Normal Flag: 0x10000 Policy name: N/A Source NAT pool: Null Maximum timeout: N/A, Current timeout: N/A Start time: 340589, Duration: 112 In: 1.1.1.18/21174 --> 4.4.4.112/40106;esp, Interface: ge-0/0/1.0, Session token: 0x240, Flag: 0x1569 Route: 0x80010, Gateway: 4.4.4.4, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, 1 sessions displayed

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 55

Then we use commands to check the flows. We want to see what type of flows we have. First, if we use the tunnel option in the command, we can see the tunnel session created for this VPN. We can refer to it in this output. If we specify the session identifier, we can see the details of the session.

SERT-SRX01-A

Juniper Networks, Inc.

56

SRX Series Dynamic VPN Troubleshooting

Slide 56

Show Security Flow Session


Check current sessions through the VPN
root@flo> show security flow session destination-prefix 2.2.2.199 Session ID: 5995, Policy name: vpn-first-user/4, Timeout: 1798 In: 18.18.18.200/1909 --> 2.2.2.199/21;tcp, If: ge-0/0/1.0 Out: 2.2.2.199/21 --> 18.18.18.200/1909;tcp, If: fe-0/0/5.0 1 sessions displayed root@flo> show security flow session session-identifier 5995 Session ID: 5995, Status: Normal Flag: 0x40 Policy name: vpn-first-user/4 Source NAT pool: Null, Application: junos-ftp/1 Maximum timeout: 1800, Current timeout: 1790 Start time: 298236, Duration: 13 In: 18.18.18.200/1909 --> 2.2.2.199/21;tcp, Interface: ge-0/0/1.0, Session token: 0x240, Flag: 0x268441121 Route: 0x0, Gateway: 18.18.18.200, Tunnel: 1073741826 Port sequence: 0, FIN sequence: 0, FIN state: 0, Out: 2.2.2.199/21 --> 18.18.18.200/1909;tcp, Interface: fe-0/0/5.0, Session token: 0x180, Flag: 0x5664 Route: 0x90010, Gateway: 2.2.2.199, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, 1 sessions displayed

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 56

To check the flows that are going through the firewall, so for the transit traffic through this VPN, we can use the show security flow session command to specify the destination prefix or source prefix. In this case, we see an FTP session on port 21. We can use the session identifier to see the details. Here is the application, junos-fpt. We see the policy name and the details of each wing of the session, in and out. We see the interfaces related to it. This is very useful information.

SERT-SRX01-A

Juniper Networks, Inc.

57

SRX Series Dynamic VPN Troubleshooting

Slide 57

Possible Issues
Download fail
httpd-gk

Login Problems
httpd-gk authd Token info (/var/db/dynamic-vpn-ipsec/tokens-nfo)

Xauth not prompted / fail


IKE logs httpd-gk

Tunnel not up Traffic not passing through


2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 57

Were going to use this output to solve dynamic VPN problems. First, we try to download the client if its failing. We can check traceoptions. This is the default filename for the web management traceoptions. If we have login problems, we can check the web management traceoptions, authentication traceoptions, or look at the token information. If we have problems with xauth, we can check the IKE traceoptions or the web management traceoptions. If we have problems with tunnel not up, we need to look at the IKE traceoptions. If we have traffic not going through, we need to look at flow traceoptions.

SERT-SRX01-A

Juniper Networks, Inc.

58

SRX Series Dynamic VPN Troubleshooting

Slide 58

Login Problem No configuration available (1 of 3)


License check failed User is authenticated by webauth but there is no dynamic-vpn client configured for it
#web-management traceoptions# root@flo> show log https-debug Mar 30 00:39:44 acadia_authenticate_user: username = first-user, token = , client_identifier = 90c5bfaa69e0debdf84ca5e4ddfc223441884a86 () Mar 30 00:39:44 acadia_fwauthd_authenticate: sending auth request to fwauthd for IP 1010112 () Mar 30 00:39:44 acadia_authenticate_user: fwauthd succeeded Mar 30 00:39:44 get_client_config: First connection for user first-user at IP 1.1.1.18 Mar 30 00:39:44 acadia_authenticate_user: return code from get_client_config: -1 Mar 30 00:39:44 acadia_authenticate_user: no user config available. Mar 30 00:39:44 ACADIA LOGIN request received for username (first-user) ip (1.1.1.18): Failed

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 58

Lets look at one example of No Configuration Available. When you type in username and password and you get the message No Configuration Available, the license check could have failed or the authentication itself worked, but the dynamic VPN configuration doesnt exist for that client. In the web management traceoptions, we can clearly see that. We get No User Configuration Available.

SERT-SRX01-A

Juniper Networks, Inc.

59

SRX Series Dynamic VPN Troubleshooting

Slide 59

Login Problem No configuration available (2 of 3)


Connection Status shows the problem in JAM client

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 59

On the client side, we can also see the message. If we right-click and then select Status, we can see No Configuration Available. In this case, its important to check the configuration in the SRX.

SERT-SRX01-A

Juniper Networks, Inc.

60

SRX Series Dynamic VPN Troubleshooting

Slide 60

Login Problem No configuration available (3 of 3)


Verify the configuration for dynamic-vpn client configuration or lack of license If the error persists with the dynamic VPN access profile configured, from the Unix shell delete token-info file rm f /var/db/dynamic-vpn-ipsec/tokens-info Then restart web-management from the operational CLI using the command restart web-management no impact to users already connected
root@flo> start shell root@flo% rm -f /var/db/dynamic-vpn-ipsec/tokens-info root@flo% exit exit root@flo> restart web-management Web management gatekeeper process started, pid 22864

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 60

What do we do to solve this problem? First, check the configuration and the license. If the error persists, we can do a work around here. We can remove the token information file and restart the web management process with this command, restart web-management. This should recover from this problem. There is not going to be any problem for the existing users because they already have their VPN tunnels working.

SERT-SRX01-A

Juniper Networks, Inc.

61

SRX Series Dynamic VPN Troubleshooting

Slide 61

Xauth Failure (1 of 2)
When using JAM client, status shows Reconnecting to Server after typing username/password Check if the username and password are matching the configuration in the dynamic-vpn user and RADIUS server

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 61

Now we are looking at xauth failure. In this case, we are trying to establish the connection. In the client, we see the message Reconnecting to Server. One possible error could be incorrect credentials. We need to check the username and password. Is it really matching? What do you have in the dynamic VPN configuration in the SRX and the RADIUS server? They have to be matching and they have to be correct for the authentication to work.

SERT-SRX01-A

Juniper Networks, Inc.

62

SRX Series Dynamic VPN Troubleshooting

Slide 62

Xauth Failure (2 of 2)
Check if RADIUS service is up and running.
Example of RADIUS service down
root@flo> show log auth-debug Mar 30 11:03:09 authd_radius_start_auth: Starting RADIUS authentication Mar 30 11:03:09 authd_radius_build_basic_auth_request: got params profile=radius-auth, username=first-user Mar 30 11:03:09 authd_radius_server_create: ZERO radius servers added : may be all are down Mar 30 11:03:09 authd_auth_module_start: Error in calling the radius start_auth Mar 30 11:03:09 AUTHEN - module(radius) return: SERVER root@flo> show log https-debug Mar 30 11:03:09 acadia_authenticate_user: username = first-user, token = , client_identifier = 90c5bfaa69e0debdf84ca5e4ddfc223441884a86 () Mar 30 11:03:09 acadia_fwauthd_authenticate: sending auth request to fwauthd for IP 1010112 () Mar 30 11:03:09 Authentication of user first-user with fwauthd failed () Mar 30 11:03:09 ACADIA LOGIN request received for username (first-user) ip (1.1.1.18): Failed

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 62

On the SRX side, we can look at the authentication traceoptions and the xauth debug file that we created in this scenario. The example here is RADIUS Service is Down. In the xauth debug, we can see an error in calling the RADIUS. This indicates there is a communication problem with RADIUS server. If we look at the web management, the client management traceoptions, we can see that the web management will send auth requests to the authentication daemon and we will get the response back saying it failed. Then the last message, Failed, means the authentication has failed, and the client will see the message that we just saw in the previous slide. In this case, we need to look at the RADIUS server itself. Check to see if the service is up or enable debug in the RADIUS server. That would depend on the RADIUS server that you have. You could also do some packet captures.

SERT-SRX01-A

Juniper Networks, Inc.

63

SRX Series Dynamic VPN Troubleshooting

Slide 63

IKE Failure (1 of 4)
Check the status in the JAM client for IKE negotiations failed

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 63

Lets move on now to another type of problem, the IKE failure. The IKE failure, you might see in the client is IKE Negotiations Failed.

SERT-SRX01-A

Juniper Networks, Inc.

64

SRX Series Dynamic VPN Troubleshooting

Slide 64

IKE Failure (2 of 4)
The detailed logs in the client show the event as well:
root@FreeBSD-server> cat debuglog.log | grep PROPOSAL 00182,09 2010/03/30 11:19:50.968 1 SYSTEM dsAccessService.exe vpnAccessMethod p1884 t9F8 vpnAccessInstance.cpp:922 - 'vpnAccessMethod' got NO PHASE1 PROPOSAL CHOSEN from firewall 4.4.4.112

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 64

If we enable the detailed logs in the client, we can also look at the debuglog.log. In this file we have detailed negotiation logs. We can see that there was no proposal chosen from the SRX. So the SRX didnt match any phase 1 proposal. It canceled the connection and we could see that also from the client detailed log.

SERT-SRX01-A

Juniper Networks, Inc.

65

SRX Series Dynamic VPN Troubleshooting

Slide 65

IKE Failure (3 of 4)
IKE debug in SRX should show No proposal chosen
root@flo> show log ike-debug Mar 30 11:28:14 ike_get_sa: Start, SA = { e574c215 645d40e7 - 00000000 00000000 } / 00000000, remote = 1.1.1.18:1125 Mar 30 11:28:14 ike_sa_allocate: Start, SA = { e574c215 645d40e7 - 32dc85f1 200c056a } Mar 30 11:28:14 ike_init_isakmp_sa: Start, remote = 1.1.1.18:1125, initiator = 0 () Mar 30 11:28:14 The remote server at 1.1.1.18:1125 is 'JNPR IPsec Client' () Mar 30 11:28:14 Unable to find ike gateway as remote peer:1.1.1.18 is not recognized. Mar 30 11:28:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=4.4.4.112) p1_remote=fqdn(udp:0,[0..14]=first-user-host) Mar 30 11:28:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=4.4.4.112) p1_remote=fqdn(udp:0,[0..14]=first-user-host) () Mar 30 11:28:14 4.4.4.112:500 (Responder) <-> 1.1.1.18:1125 { e574c215 645d40e7 - 32dc85f1 200c056a [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14) () Mar 30 11:28:15 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ... Mar 30 11:28:15 4.4.4.112:500 (Responder) <-> 1.1.1.18:1125 { e574c215 645d40e7 - 32dc85f1 200c056a [0] / 0x1b9704df } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 65

On the SRX itself, we can also check that in the IKE traceoptions. Check the log IKE Debug that we created. If we follow the output we can see, Unable to Find the Gateway. We see that there was a phase 1 policy lookup failure. In the end, the message you get is No Proposal Chosen, like you see in the client side. How do we solve this problem?

SERT-SRX01-A

Juniper Networks, Inc.

66

SRX Series Dynamic VPN Troubleshooting

Slide 66

IKE Failure (4 of 4)
Check in configuration if security policy is configured properly with tunnel action using the correct VPN for the user IKE - One gateway for each user
Hostname as IKE-ID Associate with Xauth Profile which is the access profile defined in step 1.

IPsec One VPN for each user


PFS mandatory

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 66

We need to check the configuration in the security policy. Its very important that we have a security policy that has the tunnel action using the VPN that is related to that user. If you dont have a security policy, you are going to have this problem. For the IKE, we need to have one gateway for each user and we need to have xauth profile related to it. For the IPsec VPN, we also need one VPN for each user and PFS is mandatory. If the PFS is not configured, the negotiation should not complete.

SERT-SRX01-A

Juniper Networks, Inc.

67

SRX Series Dynamic VPN Troubleshooting

Slide 67

Browser Hangs or JAM Client Doesnt Show Login Window (1 of 2)


Check web-management traceoptions
Stuck in license response pending
root@flo> show log https-debug Mar 29 11:46:08 prepare_client_config: License check request sent with token_idx 0, ike-id first-userhost, socket 14, gk type 3. Mar 29 11:46:08 acadia_authenticate_user: return code from get_client_config: 4 Mar 29 11:46:08 acadia_authenticate_user: license response pending

Confirm license is installed and active


root@flo> show system license usage Licenses Feature name used idp-sig 0 dynamic-vpn 0 ax411-wlan-ap 0 Licenses installed 1 1 2 Licenses needed 0 0 0 Expiry 2013-01-28 01:00:00 CET permanent permanent

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 67

Lets look now at another example. In this case its a browser problem. The browser hangs, or if you look at the client, it doesnt show the login window. This could be a problem in the web management and we can look at the traceoptions for that. We first look at the license. If we are doing web management traceoptions, you show the logs, you see License Response Pending, and the output stops there, it means it got stuck in license check. For some reason, there was a problem in checking the license.

SERT-SRX01-A

Juniper Networks, Inc.

68

SRX Series Dynamic VPN Troubleshooting

Slide 68

Browser Hangs or JAM Client Doesnt Show Login Window (2 of 2)


Browser: Re-type username/password to re-try the connection JAM client: click on Connect Restart web-management process
root@flo> restart web-management Web management gatekeeper process started, pid 25690

Before restarting web-management, it may be needed to remove all content from /var/db/dynamicvpn directory
root@flo> file delete /var/db/dynamic-vpn-ipsec/ root@flo> file list /var/db/dynamic-vpn-ipsec/ /var/db/dynamic-vpn-ipsec/:

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 68

Confirm we have a correct license and retry the connection. Maybe this fault was temporary. Try to reconnect. If that doesnt work, we can restart the web management process. This should bring up the negotiations again. Sometimes it may be needed to remove the content of the dynamic VPN directory, because we may have incorrect configuration data. Maybe a mismatch happened. If we delete everything, then it will just reconfigure everything. It will let the client connect again. There is no loss of data, because the information is always regenerated. It will not be any problem.

SERT-SRX01-A

Juniper Networks, Inc.

69

SRX Series Dynamic VPN Troubleshooting

Slide 69

Not Able to Reach Protected Resources (1 of 3)


Dynamic-VPN user is connected
root@flo> show security dynamic-vpn users User: second-user , Number of connections: 1 Remote IP: 1.1.1.18 IPsec VPN: vpn-second-user IKE gateway: dyn-vpn-second IKE ID : second-user-host Status: CONNECTED

IKE/IPsec SAs are up


root@flo> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie 1269 1.1.1.18 UP 4d1977a0f065ca1d f61eea222d9cad24 Mode Aggressive root@flo> show security ipsec security-associations Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <3 1.1.1.18 500 ESP:3des/sha1 60e89d33 28675/ 449990 0 >3 1.1.1.18 500 ESP:3des/sha1 ae69a16c 28675/ 449990 0

Sessions are created but only with initial timeout


root@flo> show security flow session destination-prefix 2.2.2.199 Session ID: 5203, Policy name: vpn-first-user/4, Timeout: 52 In: 2.2.2.201/8192 --> 2.2.2.199/1024;icmp, If: ge-0/0/1.0 Out: 2.2.2.199/1024 --> 2.2.2.201/8192;icmp, If: fe-0/0/5.0 Session ID: 5278, Policy name: vpn-first-user/4, Timeout: 14 In: 2.2.2.201/1337 --> 2.2.2.199/21;tcp, If: ge-0/0/1.0 Out: 2.2.2.199/21 --> 2.2.2.201/1337;tcp, If: fe-0/0/5.0

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 69

Lets now look at another example. Until now we had problems establishing the tunnel. Now we are looking at a problem when we already have the tunnel up. We check the output to see that the user is connected. We see the SAs are up. We have both phase 1 and phase 2. We have sessions and they are establishing the table, but the only thing we notice is that the timeout never goes to the full timeout, it stays in the initial timeout. Then we may suspect something there. The symptom here was that we are not able to reach the protected resource. We see we have a session, but we get no response from the protected resource.

SERT-SRX01-A

Juniper Networks, Inc.

70

SRX Series Dynamic VPN Troubleshooting

Slide 70

Not Able to Reach Protected Resources (2 of 3)


IPsec SA statistics show no traffic being encrypted
Return traffic may not be arriving
root@flo> show security ipsec statistics index 3 ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 16909 Encrypted packets: 0 Decrypted packets: 211 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 70

The next step here is to check the IPsec statistics. We see whats going through the tunnel. With this output, we can clearly see theres only traffic coming from the tunnel, and nothing going to the tunnel, so encrypted bytes are 0. Nothing is coming back to the tunnel.

SERT-SRX01-A

Juniper Networks, Inc.

71

SRX Series Dynamic VPN Troubleshooting

Slide 71

Not Able to Reach Protected Resources (3 of 3)


Checking the protected resource shows the problem
No ARP available for incoming IP address
[root@server root]# tcpdump tcpdump: listening on eth2 23:10:54.888188 2.2.2.201 > 23:10:54.888231 arp who-has 23:10:55.880131 arp who-has 23:10:56.879629 arp who-has -i eth2 2.2.2.199: icmp: echo request 2.2.2.201 tell 2.2.2.199 2.2.2.201 tell 2.2.2.199 2.2.2.201 tell 2.2.2.199

Solution: Configure proxy-arp


If IP address assigned to client is on the same subnet of the protected resources, proxy ARP is required on the interface facing the protected resources
root@flo> show configuration security nat proxy-arp interface fe-0/0/5.0 { address { 2.2.2.200/32 to 2.2.2.250/32; 2.2.2.195/32; } }

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 71

The next step is to check the protected resource. The protected resource may not be up, for example. Go to the protected resource and see if its responding. In this case, we checked it and we did a packet capture, using tcpdump to see whats coming in. We see the packet is arriving. The protected resource tries to get the ARP to send an ARP request, because it doesnt know the MAC address of this source, 2.2.2.201. This source is in the same network. It doesnt need to send to a gateway. It needs to know the MAC address. But this packet is actually coming from the client, behind the SRX. There is no MAC address here, no ARP packet. What we need to do is enable proxy ARP, because when this ARP request is received by the SRX, it will respond on behalf of the client. Then the protected resource can have the MAC address of the SRX and send the packet. That solves the problem. If the IP address assigned to the client is on the same subnet of the protected resource, then we go to the SRX and enable proxy ARP. We go to the interface thats connected to the protected resource and we enable proxy ARP to find the addresses of the clients that may connect.

SERT-SRX01-A

Juniper Networks, Inc.

72

SRX Series Dynamic VPN Troubleshooting

Slide 72

FTP File Transfer Failing (1 of 3)


Client can successfully connect to FTP server but file transfer is failing FTP control session is created but not the data session:
root@flo> show security flow session destination-port 21 Session ID: 9911, Policy name: vpn-first-user/4, Timeout: 1798 In: 18.18.18.200/1267 --> 2.2.2.199/21;tcp, If: ge-0/0/1.0 Out: 2.2.2.199/21 --> 18.18.18.200/1267;tcp, If: fe-0/0/5.0 1 sessions displayed root@flo> show security flow session resource-manager 0 sessions displayed

If control session is working, we can assume the client connected and established VPN tunnel successfully
2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 72

We now check another example of traffic not flowing and this is more specific. We have FTP file transfer failing. The client can successfully connect to FTP server. We see the connection is well, but when we try to do a file transfer, it fails. If we check the session in the SRX, we can see here the destination port 21 for FTP control. We see the session and it has the right timeout. If we look for the data sessions with the resource manager option, the data session is established with the help of FTP ALG, and the FTP ALG used the resource manager to manage these connections. If we specify resource manager in this command, we should see the active sessions for the ALG. In this case, we didnt see anything. The data session is not being established. What is the next step in this case? Next step is to do a flow traceoptions. We can see how the SRX is processing the data session.

SERT-SRX01-A

Juniper Networks, Inc.

73

SRX Series Dynamic VPN Troubleshooting

Slide 73

FTP File Transfer Failing (2 of 3)


Next step is to check flow traceoptions Data session is not getting established due to route lookup failure no route to the client for packet coming from FTP server
Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:<2.2.2.199/20->18.18.18.200/1269;6> matched filter two: () Mar 30 12:55:23 12:55:22.1858885:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT: flow_first_create_session

Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:<RM> Gate(1000025) hit callback... gate_ref=1 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:rm_route_lookup: ifp: in <fe-0/0/5.0> dst_ip=18.18.18.200 [pinhole info: 18.18.18.200/18.18.18.200] () Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:flow_ipv4_firstpath_route_lookup: no route to dest 18.18.18.200 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:RM <rm_route_lookup>: dst_ip=18.18.18.200, out_ifp is NULL [in_ifp=fe-0/0/5.0 vsd=0] Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:route lookup failed: 0x0 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT: packet dropped, denied by gate_hit callback

Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:denied by gate_hit callback Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:


2010 Juniper Networks, Inc. All rights reserved.

flow find session returns error.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 73

We check the flow processing of this packet. We see the packet coming from port 20 and some active FTP is coming from the server, going to the client. There is no session for that. It has to match the gate that was opened by the FTP ALG. We can see here we have a gate open and it will do a route lookup for the destination. This is the client IP address and in the end, we see there is a problem. There is no route to this destination. There is no route, so the outgoing interface is new. The route lookup failed, and we see a packet is dropped and denied by the gate. It goes back, so the route lookup failed. Thats why the data session was not working. In this case, we need to have a routine to solve this problem.

SERT-SRX01-A

Juniper Networks, Inc.

74

SRX Series Dynamic VPN Troubleshooting

Slide 74

FTP File Transfer Failing (3 of 3)


After adding route to 18.18.18/24, data session is successful
Mar 30 12:59:41 12:59:40.1730181:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0 () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT:rm_route_lookup: ifp: in <fe-0/0/5.0> dst_ip=18.18.18.200 [pinhole info: 18.18.18.200/18.18.18.200] () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT:rm_route_lookup: dst_ip=18.18.18.200 out_ifp=ge-0/0/1.0 next_hop=4.4.4.4 () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT:rm_get_tunnel_info : policy 0x54551b20 IPsec yes in_zone trust[6] policy dest zone trust[6]vpn direction in () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT:RM : session=80000282a app_cookie=1226 out_ifp=ge-0/0/1.0 out_tunnel=0x5131a00c Mar 30 12:59:41 12:59:40.1730181:CID-0:RT:RM populated xlate info for nsp2: 18.18.18.200/1270>2.2.2.199/20out_ifp = ge-0/0/1.0, out_tunnel = 0x5131a00c Mar 30 12:59:41 12:59:40.1730181:CID-0:RT:tunnel out 0x5131a00c () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT: service lookup identified service 79. () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT: flow session id 10282 () Mar 30 12:59:41 12:59:40.1730181:CID-0:RT: going into tunnel 2 (nsp_tunnel=0x5131a00c).

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 74

If we add a routine to the client, this routine has to go out of the interface. The next hop needs to be out of the interface where the tunnel is established. Then it can go correctly with regards to routing. If we follow the output, we can see that route lookup will find the outgoing interface and will be able to match the policy. We see the policy, and then it will create. Do the translation information for the ALG to populate the destination information. It will create the session, so session ID. We are going to see the packet going to the tunnel and the tunnel ID. When we entered show security ipsec and security associations before, the tunnel ID was 2, so we can match the number here.

SERT-SRX01-A

Juniper Networks, Inc.

75

SRX Series Dynamic VPN Troubleshooting

Slide 75

Section Summary
In this section, we:
Described the use of different categories of show commands in the troubleshooting process Described the use of the various traceoptions in solving Dynamic VPN problems.

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 75

In this section, we: Described the use of different categories of show commands in the troubleshooting process, and Described the use of the various traceoptions in solving Dynamic VPN problems

SERT-SRX01-A

Juniper Networks, Inc.

76

SRX Series Dynamic VPN Troubleshooting

Slide 76

Learning Activity 4: Question 1


The show commands are used to elicit specific information (in the form of responses) that can be used to facilitate the troubleshooting process.
a) True b) False

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 76

SERT-SRX01-A

Juniper Networks, Inc.

77

SRX Series Dynamic VPN Troubleshooting

Slide 77

Course Summary
In this Course, we:
Discussed feature descriptions of and requirements for the SRX Series Dynamic VPN Described the recommended configuration Discussed troubleshooting recommendations Described troubleshooting examples

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 77

In this Course, we: Discussed feature descriptions of and requirements for the SRX Series Dynamic VPN Described the recommended configuration Discussed troubleshooting recommendations, and Described troubleshooting examples

SERT-SRX01-A

Juniper Networks, Inc.

78

SRX Series Dynamic VPN Troubleshooting

Slide 78

SRX Series Dynamic VPN Advanced Troubleshooting

More Information and Next Steps

2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential

More Information and Next Steps

SERT-SRX01-A

Juniper Networks, Inc.

79

SRX Series Dynamic VPN Troubleshooting

Slide 79

Request Support Information


Required by JTAC when opening a support case. It can be uploaded to the case
{primary:node0} root@flo> request support information | save /var/tmp/support-info-case-2009-1234-5678 Wrote 12744 lines of output to '/var/tmp/support-info-case-2009-1234-5678' {primary:node0} root@flo> file list /var/tmp/support /var/tmp/support-info-case-2009-1234-5678

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 79

If you need to open a case with JTAC, we strongly recommend that you include the required support information and output. This will contain a lot of information from the system, including the configuration logs. This can really help JTAC to find the problem and understand the scenario in question. Here is an example of how to save the output. You can enter the command and pipe (|) save to a filename. Then you can do a file transfer to the case.

SERT-SRX01-A

Juniper Networks, Inc.

80

SRX Series Dynamic VPN Troubleshooting

Slide 80

Logs
Located under /var/log directory
messages kmd authd httpd-gk chassisd
root@flo> show log ? Possible completions: <[Enter]> Execute this command <filename> Name of log file IKE Size: 818, Last changed: Oct 30 19:11:05 __jsrpd_commit_check__ Size: 52, Last changed: Mar 10 10:24:12 authd Size: 454880, Last changed: Mar 18 20:03:02 authd.dbg Size: 0, Last changed: Mar 17 17:24:01 authd.sta Size: 0, Last changed: Mar 17 17:24:01 authd_libstats Size: 3166, Last changed: Mar 17 17:24:07 authd_profilelib Size: 0, Last changed: Oct 01 07:41:15 authd_sdb.log Size: 10334, Last changed: Mar 18 20:03:02 autod Size: 31196, Last changed: Feb 22 20:04:23 chassisd Size: 1654463, Last changed: Mar 16 10:09:33 config-changes Size: 2061, Last changed: Sep 28 19:24:26 cosd Size: 24105, Last changed: Mar 16 10:06:23 cscript.log Size: 885, Last changed: Oct 02 09:11:54 dcd Size: 625886, Last changed: Mar 16 10:28:19 debug-flow Size: 519595, Last changed: Mar 17 15:44:24 debug-flow.0.gz Size: 55672, Last changed: Mar 17 15:44:07 dfwc Size: 0, Last changed: Aug 26 2009 dfwd Size: 1308, Last changed: Mar 16 09:59:56 eccd Size: 11638, Last changed: Mar 16 10:05:17 ext/ Last changed: Dec 31 1969 flowc/ Last changed: Dec 31 1969 ggsn/ Last changed: Dec 31 1969 gres-tp Size: 98149, Last changed: Mar 17 17:24:07 hostname-cached Size: 9659, Last changed: Mar 17 15:53:59 httpd-gk Size: 726649, Last changed: Mar 23 10:26:04 ---(more)---

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 80

We mentioned the logs during the course. We created logs for the traceoptions. There are also other logs and default logs. In the /var/log directory, we can see all the logs. The messages log is also an important log to check. These are the default logs for the traceoptions we check. kmd is for the IKE traceoptions, authd is for the authentication, and the httpd-gk is for the web management, the dynamic VPN traceoptions. Then we have chassisd logs that are also important, in case there may be things related to chassis management. In the output here we can see other logs. Which logs you see depends on which logs you enabled in the system. Were going to see them under this directory. You need to enter show log? to see all the logs.

SERT-SRX01-A

Juniper Networks, Inc.

81

SRX Series Dynamic VPN Troubleshooting

Slide 81

Tech Notes
Technotes contain very useful guides
http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=TE CHNOTES

TN7 Configuring Dynamic VPN (Remote Access VPN Client) detailed steps on how to configure dynamic VPN feature in SRX100, SRX210, SRX240 and SRX650 VPN Resolution Guide for SRX Series Devices JTAC-certified resolution guide for VPN configuration and troubleshooting
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_SRX_ VPN_Config_or_Trblsh.htm TN15 Configuring and Troubleshooting Policy-Based VPNs on J-Series and SRX TN14 Configuring and Troubleshooting Route-Based VPNs on J-Series and SRX
CONFIDENTIAL

2010 Juniper Networks, Inc. All rights reserved.

SERT-SRX01-A

www.juniper.net | 81

For the Knowledge Base, this is Technote 7. We strongly recommend that you check this Technote for dynamic VPN configuration, because it contains information about RADIUS. There are two examples there one with steel-belted RADIUS and the other with FreeRADIUS. For example, if you are using FreeBSD, you can easily install the FreeRADIUS service. It is easy to have it up and running quickly. In this Technote, you can see the attributes that you need to set and that we recommend. We also have a VPN Resolution Guide in the Knowledge Base. It can guide you through troubleshooting of VPNrelated issues. There are two Technotes for that as well: Technote 15 and 14.

SERT-SRX01-A

Juniper Networks, Inc.

82

SRX Series Dynamic VPN Troubleshooting

Slide 82

KB Articles
KB16110 SRX Getting Started Troubleshooting Traffic Flows and Session Establishment
http://kb.juniper.net/KB16110

KB16108 SRX Getting Started Configuring Traceoptions for Debugging and Trimming Output
http://kb.juniper.net/KB16108

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 82

We want to point out two KB (Knowledge Base) articles for the flow traceoptions. These articles contain suggestions on how to troubleshoot, how to configure filters, and how to trim the output. Its quite useful to trim the output, depending on what you are looking for, so you can eliminate unnecessary output and focus in on that which can help to illustrate and resolve the issues.

SERT-SRX01-A

Juniper Networks, Inc.

83

SRX Series Dynamic VPN Troubleshooting

Slide 83

Documentation
Dynamic VPN http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/frameset.html Feature Support Reference shows feature support in different SRX platforms
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-srx-jseries-supportreference/junos-srx-jseries-support-reference.pdf

Security Configuration Guide contains detailed information about security features (security hierarchy), including Dynamic VPN.
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfigsecurity/junos-security-swconfig-security.pdf

System Basics information about system hierarchy


http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-systembasics/config-guide-system-basics.pdf

Interfaces and Routing Configuration Guide information about different interface types and encapsulation options
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-interfacesand-routing/junos-security-swconfig-interfaces-and-routing.pdf

CLI Reference command syntax and options


http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-cli-reference/junossecurity-cli-reference.pdf

Release Notes always important to understand new features, existing issues and limitations.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/releasenotes/10/junos-release-notes-10.0.pdf

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 83

Here are references to Junos documentation, dynamic VPN link, and other topics covered in this course. We also have the Feature Support Reference. You can check all the supported features in each platform. This is useful to confirm the configuration that we are using. Use the Security Configuration Guide for everything under the security hierarchy in the configuration. For the System Basics, we can check everything under system hierarchy. Use the Interfaces and Routing Configuration Guide to look at interface types and routing options. Use the CLI Reference for command syntax. Use Release Notes to see the new features, existing issues, and limitations.

SERT-SRX01-A

Juniper Networks, Inc.

84

SRX Series Dynamic VPN Troubleshooting

Slide 84

Additional Resources
Juniper Networks Education Services Curriculum
http://www.juniper.net/us/en/training/technical_education/

Juniper Networks Technical Certification Program


http://www.juniper.net/us/en/training/certification/

Juniper Networks Virtual Labs


https://www.juniper.net/partners/partner_center/common/ training/virtual_lab.jsp

To submit errata or for general questions


elearning@juniper.net

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 84

For additional resources or to contact the Juniper Networks eLearning team, click the links on the screen.

SERT-SRX01-A

Juniper Networks, Inc.

85

SRX Series Dynamic VPN Troubleshooting

Slide 85

Evaluation and Survey


You have reached the end of this Juniper Networks eLearning module You should now return to your Juniper Learning Center to take the Practice Test and the Student Survey
The test will allow you to gauge your knowledge of the material covered in this course The survey will allow you to give feedback on the quality and usefulness of the course

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 85

You have reached the end of this Juniper eLearning module. You should now return to your Juniper Learning Center to take the Practice Test and the Student Survey. The test will allow you to gauge your knowledge of the material covered in this course. The survey will allow you to give feedback on the quality and usefulness of the course.

SERT-SRX01-A

Juniper Networks, Inc.

86

SRX Series Dynamic VPN Troubleshooting

Slide 86

2010 Juniper Networks, Inc.


Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks or registered service marks are the property of their respective owners. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice.

2010 Juniper Networks, Inc. All rights reserved.

CONFIDENTIAL

SERT-SRX01-A

www.juniper.net | 86

Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks or registered service marks are the property of their respective owners. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice.

SERT-SRX01-A

Juniper Networks, Inc.

87

SRX Series Dynamic VPN Troubleshooting

Slide 87

CONFIDENTIAL

SERT-SRX01-A

Juniper Networks, Inc.

88

e d u c a t io n se rv ic e s c o u rsew a re

Corp orat e and Sales Head q uart ers Junip er Net w orks, Inc. 119 4 Nort h Mat hild a Avenue Sunnyvale, CA 9 4 0 8 9 USA Phone: 8 8 8 .JUNIPER ( 8 8 8 .58 6 .4737) or 4 0 8 .74 5.20 0 0 Fax: 4 0 8 .74 5.210 0 w w w.junip er.net

APAC Head q uart ers Junip er Net w orks ( Hong Kong) 26 / F, Cit yp laza One 1111 Kings Road Taikoo Shing, Hong Kong Phone: 8 52.2332.36 36 Fax: 8 52.2574 .78 0 3

EMEA Head q uart ers Junip er Net w orks Ireland Airsid e Business Park Sw ord s, Count y Dub l in, Ireland Phone: 35.31.8 9 0 3.6 0 0 EMEA Sales: 0 0 8 0 0 .4 58 6 .4737 Fax: 35.31.8 9 0 3.6 0 1

Copyright 20 10 Junip er Net w orks, Inc. Al l right s reserved. Junip er Net w orks, t he Junip er Net w orks logo, Junos, Net Screen, and ScreenOS are regist ered t rad em arks of Junip er Net w orks, Inc. in t he Unit ed St at es and ot her count ries. Al l ot her t rad em arks, service m arks, regist ered m arks, or regist ered service m arks are t he p rop ert y of t heir resp ect ive ow ners. Junip er Net w orks assum es no resp onsib il it y f or any inaccuracies in t his d ocum ent . Junip er Net w orks reserves t he right t o change, m od if y, t ransf er, or ot herw ise revise t his p ub l icat ion w it hout not ice.