All Juniper related discussions.
Pazzeo
New Member
Posts:
2
Joined:
Sat May 30, 2015 4:22 am
Certs:
CCNA

VPN beteween SSG140 and Fortinet

Sat May 30, 2015 5:27 am

Hi guys,

Currently I have a problem with a VPN between a SSG140 and one Fortinet with NAT - Traversal.
The first day it worked properly for all day, so I think the configuration is ok on both side with NAT-T enabled.
However, the day after, it stopped to work.

I put in the debug the SSG140, I posted here the log (masking the public ip):

Code: Select all
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> ****** Recv kernel msg IDX-5, TYPE-5 ******
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> ****** Recv kernel msg IDX-5, TYPE-5 ******
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> sa orig index<5>, peer_id<4>.
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ>   create sa: YYY.YYY.YYY.YYY->ZZZ.ZZZ.ZZZ.ZZZ
## 2015-05-29 19:32:53 : getProfileFromP1Proposal->
## 2015-05-29 19:32:53 : find profile[0]=<00000007 00000002 00000001 00000002> for p1 proposal (id 7), xauth(0)
## 2015-05-29 19:32:53 : init p1sa, pidt = 0x0
## 2015-05-29 19:32:53 : change peer identity for p1 sa, pidt = 0x0
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   peer_identity_create_with_uid: uid<0>
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   create peer identity 0x70be020
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry before add <1>
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   peer_identity_add_to_peer: num entry after add <2>
## 2015-05-29 19:32:53 : peer identity 70be020 created.
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   EDIPI disabled
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Phase 1: Initiated negotiation in main mode. <YYY.YYY.YYY.YYY => ZZZ.ZZZ.ZZZ.ZZZ>
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct ISAKMP header.
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Msg header built (next payload #1)
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct [SA] for ISAKMP
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> auth(1)<PRESHRD>, encr(7)<AES>, hash(2)<SHA>, group(2), keylen(128)
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> xauth attribute: disabled
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> lifetime/lifesize (28800/0)
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct NetScreen [VID]
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct NAT-T [VID]: draft 2
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct NAT-T [VID]: draft 1
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct custom [VID]
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Construct custom [VID]
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> P1 message header:
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   ISAKMP msg: len 200, nxp 1[SA], exch 2[MM], flag 00
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ   > Xmit : [SA] [VID] [VID] [VID] [VID] [VID]
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ   > send phase 1 packet:
## 2015-05-29 19:32:53 : 5d d2 5a 8d 5d 3f cc fb  00 00 00 00 00 00 00 00
## 2015-05-29 19:32:53 : 01 10 02 00 00 00 00 00  00 00 00 c8 0d 00 00 38
## 2015-05-29 19:32:53 : 00 00 00 01 00 00 00 01  00 00 00 2c 01 01 00 01
## 2015-05-29 19:32:53 : 00 00 00 24 01 01 00 00  80 01 00 07 80 02 00 02
## 2015-05-29 19:32:53 : 80 04 00 02 80 03 00 01  80 0e 00 80 80 0b 00 01
## 2015-05-29 19:32:53 : 80 0c 70 80 0d 00 00 20  40 b6 21 83 52 9c 03 a4
## 2015-05-29 19:32:53 : d3 08 84 3f 66 48 56 b2  6d 15 e8 db 00 00 00 16
## 2015-05-29 19:32:53 : 00 00 06 14 0d 00 00 14  90 cb 80 91 3e bb 69 6e
## 2015-05-29 19:32:53 : 08 63 81 b5 ec 42 7b 1f  0d 00 00 14 44 85 15 2d
## 2015-05-29 19:32:53 : 18 b6 bb cd 0b e8 a8 46  95 79 dd cc 0d 00 00 14
## 2015-05-29 19:32:53 : af ca d7 13 68 a1 f1 c9  6b 86 96 fc 77 57 01 00
## 2015-05-29 19:32:53 : 00 00 00 18 48 65 61 72  74 42 65 61 74 5f 4e 6f
## 2015-05-29 19:32:53 : 74 69 66 79 38 6b 01 00
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Initiator sending IPv4 IP ZZZ.ZZZ.ZZZ.ZZZ/port 4500
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Send Phase 1 packet (len=200)
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> Phase 2 task added
## 2015-05-29 19:32:53 : ms 164184564 rt-timer callback
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ   >   hdr
## 2015-05-29 19:32:53 : 5d d2 5a 8d 5d 3f cc fb  3f 1e bd ae 26 55 74 ed
## 2015-05-29 19:32:53 : 01 10 02 00 00 00 00 00  00 00 00 7c 0d 00 00 38
## 2015-05-29 19:32:53 : IKE<0.0.0.0        >   from FLOAT port.
## 2015-05-29 19:32:53 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> ike packet, len 152, action -1
## 2015-05-29 19:32:54 : ms 164185004 rt-timer callback
## 2015-05-29 19:32:54 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> nhtb_list_update_status: vpn RaiLAB_OfficeMUX
## 2015-05-29 19:32:54 : IKE<ZZZ.ZZZ.ZZZ.ZZZ>   ** link ready return 8
## 2015-05-29 19:32:54 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> sa_link_status_for_tunl_ifp: saidx 5, preliminary status 8
## 2015-05-29 19:32:54 : ms 164185019 rt-timer callback
## 2015-05-29 19:32:55 : ms 164186005 rt-timer callback
## 2015-05-29 19:32:55 : ms 164186008 rt-timer callback
## 2015-05-29 19:32:55 : IKE<ZZZ.ZZZ.ZZZ.ZZZ   >   hdr
## 2015-05-29 19:32:55 : 5d d2 5a 8d 5d 3f cc fb  3f 1e bd ae 26 55 74 ed
## 2015-05-29 19:32:55 : 01 10 02 00 00 00 00 00  00 00 00 7c 0d 00 00 38
## 2015-05-29 19:32:55 : IKE<0.0.0.0        >   from FLOAT port.
## 2015-05-29 19:32:55 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> ike packet, len 152, action -1
## 2015-05-29 19:32:56 : ms 164187004 rt-timer callback
## 2015-05-29 19:32:56 : ms 164187019 rt-timer callback
## 2015-05-29 19:32:57 : ms 164188005 rt-timer callback
## 2015-05-29 19:32:57 : ms 164188008 rt-timer callback
## 2015-05-29 19:32:58 : IKE<ZZZ.ZZZ.ZZZ.ZZZ> re-trans timer expired, msg retry (0) (100001/0)


Can you help me to understand what is happening?
What does it mean the row with "ike packet, len 152, action -1?

Thanks,
Pazzeo

'
Return to Juniper Networking

Who is online

Users browsing this forum: No registered users and 4 guests