Anda di halaman 1dari 3

Troubleshooting a Netscreen Site 2 Site VPN | Netscreen

3/13/12 5:48 PM

Multi Factor VPNs

Add 2-Factor Authentication to Your VPN Maintenance management simplified! at Low Prices. Free Test Drive!

MainBoss CMMS



Contact us
IDS/IPS Joomla


Routers Switches UNIX / Linux VMware Microsoft General Info Load Balancers


Firewalls Menu
Check Point Cisco Juniper

Troubleshooting a Netscreen Site 2 Site VPN

Vendor Juniper Platform Netscreen Version ScreenOS 6.2 Firewalls - Netscreen
Wednesday, 23 December 2009 16:47

SRX Series Gateway NSM Netscreen

Subscribe via RSS

In this example we will run through various steps to troubleshoot a Site 2 Site VPN.

Subscribe via Email

Confirm General Details

This will give us a general overview of our vpn. netscreen(M)-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface --------------- --------------- ---- ----- -------------------- ------- ------- ---------sitea_vpn sitea tunl Yes g2-esp-3des-sha off 0 eth5 siteb_vpn siteb tunl Yes g2-esp-3des-sha off 2 eth5 sitec_vpn sitec tunl Yes g2-esp-3des-sha off 0 eth5 sited_vpn sited tunl Yes g2-esp-3des-sha off 0 eth5


Cisco ASA 5505 Tutorial

Step-by-Step Configuration of Vpn, Nat,Vlans,Dmz.*ONLY* $29.95

Confirm Phase 1
To confirm whether IKE has been successful you can run the following command. You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. You can find additional details here. netscreen(M)-> get ike cookie | i [remote peer ip] 80522f/0003, [local peer]:500->[remote peer]:500, PRESHR/grp2/AES256/SHA, xchg(5) (Example/grp-1/usr1)

Gateway Vpn
Search Thousands of Catalogs for Gateway Vpn

Confirm Phase 2
From the get sa command you can see the status and various details of the Security Assiociations. The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is dashed out as it isnt enabled. netscreen(M)-> get sa | i [peer ip] 00000007< [peer ip] 500 esp:3des/md5 00000007> [peer ip] 500 esp:3des/md5 Using the SA ID we can confirm additional details of the Phase 2 SA. netscreen(M)-> get sa id 0x00000007 index 49, name Example, peer gateway ip [remote peer]. vsys<Root> auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 662, peer id 52, NSRP Active. Vsd 0 site-to-site. Local interface is ethernet5 <[local peer]>. esp, group 0, a256 encryption, sha1 authentication autokey, IN active, OUT active monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x2067 proxy id: local, remote, proto 0, port 0 ike activity timestamp: 590051543 nat-traversal map not available incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline life 86400 sec, 19761 remain, 0 kb, 0 bytes remain anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, idled 0 seconds next pak sequence number: 0x0 outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline life 86400 sec, 19761 remain, 0 kb, 0 bytes remain anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds next pak sequence number: 0x89j9c

Roku 2 a Todo MEXICO

Adquierelo HOY 30% de Descuento Router con IP americana

zbcA14zz fbcb64ee

3317 unlim A/3317 unlim A/-

22 0 -1 0

Best VPN Servers

Top 10 VPN Service Providers. Reviews, Free Trials, Specials!

INTERNET Como Nunca Antes

Ahora En Mexico, Lo Que Necesita ! Servicio De Internet Dedicado

Page 1 of 3

Troubleshooting a Netscreen Site 2 Site VPN | Netscreen

next pak sequence number: 0x89j9c

3/13/12 5:48 PM

Running a Debug
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic. netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint] netscreen(M)-> undebug all netscreen(M)-> clear db netscreen(M)-> debug ike basic netscreen(M)-> debug flow basic netscreen(M)-> get db str ! ! Permitted by policy 109 No src xlate choose interface ethernet5 as outgoing phy if check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5 vsd 0 is active no loop on ifp ethernet5. session application type 0, name None, nas_id 0, timeout 60sec service lookup identified service 0. flow_first_final_check: in <ethernet2>, out <ethernet5> existing vector list 25-6870620. Session (id:127345) created for first pak 25 flow_first_install_session======> cache mac in the session make_nsp_ready_no_resolve() search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr trust-vr for vsd-0/flag3000/ifp-ethernet2 [Dest] 10.route [local endpoint]->[next hop], to ethernet2 route to [next hop] nsrp msg sent. flow got session. flow session id 127345 vsd 0 is active skipping pre-frag going into tunnel 40000266. flow_encrypt: pipeline. chip info: DMA. Tunnel id 00000266 (vn2) doing ESP encryption and size =64 ipsec encrypt prepare engine done ipsec encrypt set engine done ipsec encrypt engine released ipsec encrypt done put packet(557a0f0) into flush queue. remove packet(557a0f0) out from flush queue. If the tunnel does not come up you can use the following debug: netscreen(M)-> ike detail set sa-filter [IP]

Event Logs
In addition to check the Logs that the traffic is being passed you can check for Phase 1 and Phase 2 errors from the devices event logs. netscreen(M)-> get event include [peer ip]

Rekey the VPN

For steps on how to rekey a VPN click here.

Related Articles
Troubleshooting a Site to Site VPN on a SRX Series Gateway Creating a Certificate Based Site to Site VPN between 2 Check Point Gateways Netscreen - Additional Site 2 Site VPN Options Configuring a Pre-Shared Site to Site VPN between 2 Cisco Routers Enabling a serial connection when booting a Redhat Server into Single User mode. Creating a VLAN Trunk on a Netscreen Firewall Creating a basic Route Based VPN between 2 Check Point Firewalls Troubleshooting Interface Drops

Latest Articles
Juniper SRX - NAT Juniper SRX - How to configure a route based VPN Juniper SRX - Dynamic VPN Juniper SRX - How to configure a policy based VPN Brocade ADX - NAT Brocade ADX - CSW nested rules How do I upgrade a Juniper SRX Series gateway

Proxy ARP SPLAT Check Point Commands IPSO - Commands ASA 8.3 - How to configure NAT vSphere - Creating User and Group Permissions PEMU - Free Cisco PIX Firewall Emulator / Simulator Configuring Wireless Connectivity within Backtrack 4 r2

Page 2 of 3

Troubleshooting a Netscreen Site 2 Site VPN | Netscreen

3/13/12 5:48 PM

Cisco ASA - How do I capture ARP`s ? Juniper SRX - Configuring Source NAT with pool Running a packet capture on a Juniper SRX Tool - SSLReport Brocade ADX - How to perform an image upgrade Cisco ASA reboots/crashes when running the command 'show service-policy interface outside set connection detail' Brocade ADX - Persistence How to define a port range on a Juniper SRX Path MTU Discovery (PMTUD) / Path MTU Black Holes Mitigating DoS attacks on a Cisco ASA How do I clear the Cisco ASA connection counters ? High CPU Usage on a Cisco CSS How to clone a MySQL database

Juniper Netscreen Commands Juniper Netscreen - NAT Explained ESX Convertor - The session is not authenticated How do I install snmpwalk / snmpget using Yum ? Netscreen - NSRP ESX - ViClient Cannot connect to host Troubleshooting a Netscreen Site 2 Site VPN Endpoint Connect Installation / Troubleshooting Guide Check Point - How to Reset SIC ESXi - Connecting to a named pipe ESXi White Box - HP DL140 Netscreen - Routing Basics / Virtual Routers / PBR Check Point - Client vs Server Side NAT

We have 55 guests online

Page 3 of 3