Juniper ISG/SSG VPN troubleshoot
Problem example:
Message: IKE Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway.
The results of the debug will have the IP address of the sa-filter at the beginning.
For a sample output of debug ike detail, refer to KB22768 - Understanding VPN negotiation messages in main mode along with snoop and debug flow basic
Other information that could that will be helpful to JTAC, if you need to open a case:
Message: IKE
- Enter the command get sa, and note the gateway IP address in question:
ns-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 1 0
00000001> 1.1.1.1 500 esp: des/md5 00000000 expir unlim I/I 2 0 - Set an SA filter (not a flow filter) for the gateway IP address, so that only debugs related to that VPN gateway are captured:
ns5400-> set sa-fil 1.1.1.1
<1.1.1.1> is added to the SA IP filters - Begin the debug:
ns-> undebug all
(to turn off any debugs currently enabled)
(to increase debug buffer)
ns-> set db size 4096
(to clear debug buffer)
ns-> clear db
(if using certificates)
ns-> debug ike detail
ns-> debug pki all[attempt to bring VPN up, or if rekey is enabled wait for VPN to reconnect. The output of 'get event' will give you a clue when it starts and fails. Then after the VPN failure, run 'undebug all' to stop the debugs from overwriting the circular buffer.]ns-> get db stream
(to view debug output)
When done, perform the following clean-up:
(to return the debug buffer size back to the default)
ns-> unset db size
(to turn off debugs)
ns-> undebug all
The results of the debug will have the IP address of the sa-filter at the beginning.
For a sample output of debug ike detail, refer to KB22768 - Understanding VPN negotiation messages in main mode along with snoop and debug flow basic
Other information that could that will be helpful to JTAC, if you need to open a case:
get tech
get event
get ike cookie
get sa
Comments
Post a Comment