Home‎ > ‎Juniper‎ > ‎VPNs‎ > ‎

Troubleshooting VPNs






Check Phase1

fw1b01> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
7511026 UP     d40c69def0f2e014  783356e00cddfb70  IKEv2          96.230.36.206

fw1b01>

Check Phase2

fw1b01> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 68e14219 1298/ unlim   U   root 500   96.230.36.206
  >131073 ESP:3des/sha1 cb3ccd42 1298/ unlim   U   root 500   96.230.36.206

fw1b01>

confirm you have a route, and it sends the traffic though the VPN: 
fw1b01> show route 10.33.32.103

inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.33.0.0/16       *[Static/5] 01:49:14
                    > via st0.1

use traceoptions to capture traffic

fw01# show security flow traceoptions
file JTAC;
flag basic-datapath;
packet-filter MATCH1 {
    protocol icmp;
    source-prefix 10.36.36.9/32;
    destination-prefix 10.36.34.51/32;
}
packet-filter MATCH2 {
    protocol icmp;
    source-prefix 10.36.34.51/32;
    destination-prefix 10.36.36.9/32;
}

fw01# run show log JTAC
Feb 15 20:20:14 20:20:13.989088:CID-0:RT:<10.36.34.51/1->10.36.36.9/1;1,0x0> matched filter MATCH2:
Feb 15 20:20:14 20:20:13.989088:CID-0:RT:packet [56] ipid = 39189, @0x43e4e71c
Feb 15 20:20:14 20:20:13.989088:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43e4e500, rtbl_idx = 0
Feb 15 20:20:14 20:20:13.989168:CID-0:RT: flow process pak fast ifl 75 in_ifp irb.34
Feb 15 20:20:14 20:20:13.989168:CID-0:RT:  irb.34:10.36.34.51->10.36.36.9, icmp, (3/3)
Feb 15 20:20:14 20:20:13.989168:CID-0:RT: find flow: table 0x5320fb70, hash 42056(0xffff), sa 10.36.34.51, da 10.36.36.9, sp 33440, dp 39183, proto 17, tok 11, conn-tag 0x00000000
Feb 15 20:20:14 20:20:13.989168:CID-0:RT:Found: session id 0x5f5f. sess tok 11
Feb 15 20:20:14 20:20:13.989168:CID-0:RT:flow_find_session: This an Embedded ICMP pkt
Feb 15 20:20:14 20:20:13.989168:CID-0:RT:  flow got session.

fw01# run clear log JTAC


setup a filter and track packet being caught by it. 
[edit interfaces irb unit 260 family inet]
+       filter {
+           input TESTCOUNT;
+       }
[edit firewall family inet]
      filter mgmt { ... }
+     filter TESTCOUNT {
+         term 1 {
+             from {
+                 source-address {
+                     96.20.36.204/32;
+                 }
+                 destination-address {
+                     38.11.225.242/32;
+                 }
+                 protocol tcp;
+             }
+             then {
+                 count testcounter;
+                 accept;
+             }
+         }
+         term 2 {
+             then accept;
+         }
+     }



fwb01# run show firewall filter TESTCOUNT

Filter: TESTCOUNT
Counters:
Name                                                Bytes              Packets
testcounter                                             0                    0


check routing
fw01# run show route forwarding-table destination 96.20.36.204
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index    NhRef Netif
default            user     0 40:ce:24:3e:13:34  ucst     1376     3 ge-0/0/0.0
default            perm     0                    rjct       36     3

Routing table: __juniper_services__.inet
Internet:
Destination        Type RtRef Next hop           Type Index    NhRef Netif
default            perm     0                    dscd     1280     2

Routing table: __master.anon__.inet
Internet:
Destination        Type RtRef Next hop           Type Index    NhRef Netif
default            perm     0                    rjct     1305     1



References






Comments