[vpn-help] Shrew VPN Client + Juniper SRX : Autodisconnect

Gregory Charot (EVENIUM) gcharot at evenium.com
Mon Dec 17 13:20:48 CST 2012


Hello Matthew,

Thanks for the quick answer !

I tried to disable DPD as well as configuring it on the SRX/Client, but 
that dind't work...
You will find below the part of the SRX log when the client get 
disconnected. Client get disconnected @19:53:10

This is actually the same output as the unsolved thread : 
http://forums.juniper.net/t5/SRX-Services-Gateway/quot-session-terminated-by-gateway-quot-when-using-Shrew-client/td-p/146382

Strange thing though, if i disable NAT-T on client side, the tunnel 
stays up ! Of course the traffic is not going through but the tunnel 
stays alive !
If i select "Force-rfc" on the client the traffic goes through but same 
issue (disconnect at 1 minute).

Hope thats helps !
Thanks,
Greg

Dec 17 19:52:30 ike_retransmit_callback: Start, retransmit SA = { 
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:52:30 ike_send_packet: Start, retransmit previous packet SA = 
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370 
routing table id = 0
Dec 17 19:52:40 ike_retransmit_callback: Start, retransmit SA = { 
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:52:40 ike_send_packet: Start, retransmit previous packet SA = 
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370 
routing table id = 0
Dec 17 19:52:50 ike_retransmit_callback: Start, retransmit SA = { 
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:52:50 ike_send_packet: Start, retransmit previous packet SA = 
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370 
routing table id = 0
Dec 17 19:53:00 ike_retransmit_callback: Start, retransmit SA = { 
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:00 ike_send_packet: Start, retransmit previous packet SA = 
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370 
routing table id = 0
Dec 17 19:53:10 ike_retransmit_callback: Start, retransmit SA = { 
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:10 ike_retransmit_callback: Isakmp query retry limit 
reached, deleting
Dec 17 19:53:10 <none>:500 (Initiator) <-> x.x.x.x:1370 { 7afff86f 
ed1dec02 - 8adb783f 94cb567c [1] / 0xf84961ac } CFG; Error = Timeout (8197)
Dec 17 19:53:10 ike_send_notify: Private notification, do not send 
notification
Dec 17 19:53:10 ike_delete_negotiation: Start, SA = { 7afff86f ed1dec02 
- 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:10 ike_free_negotiation_cfg: Start, nego = 1
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 1
Dec 17 19:53:10 iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index 
4999914, ref cnt 2, status: Error ok
Dec 17 19:53:10 ike_expire_callback: Start, expire SA = { 7afff86f 
ed1dec02 - 8adb783f 94cb567c}, nego = -1
Dec 17 19:53:10 ike_alloc_negotiation: Start, SA = { 7afff86f ed1dec02 - 
8adb783f 94cb567c}
Dec 17 19:53:10 ike_encode_packet: Start, SA = { 0x7afff86f ed1dec02 - 
8adb783f 94cb567c } / 65e8123a, nego = 1
Dec 17 19:53:10 ike_send_packet: Start, send SA = { 7afff86f ed1dec02 - 
8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370, routing table id = 0
Dec 17 19:53:10 ike_delete_negotiation: Start, SA = { 7afff86f ed1dec02 
- 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:10 ike_free_negotiation_info: Start, nego = 1
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 1
Dec 17 19:53:10 ike_remove_callback: Start, delete SA = { 7afff86f 
ed1dec02 - 8adb783f 94cb567c}, nego = -1
Dec 17 19:53:10 ike_delete_negotiation: Start, SA = { 7afff86f ed1dec02 
- 8adb783f 94cb567c}, nego = -1
Dec 17 19:53:10 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 
from IKE tunnel table
Dec 17 19:53:10 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 
doesn't exist in IKE tunnel table
Dec 17 19:53:10 ike_sa_delete: Start, SA = { 7afff86f ed1dec02 - 
8adb783f 94cb567c }
Dec 17 19:53:10 ike_free_negotiation_cfg: Start, nego = 0
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 0
Dec 17 19:53:10 ike_free_negotiation_qm: Start, nego = 2
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 2
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_negotiation_qm: Start, nego = 3
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 3
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_negotiation_isakmp: Start, nego = -1
Dec 17 19:53:10 ike_free_negotiation: Start, nego = -1
Dec 17 19:53:10 IKE SA delete called for p1 sa 4999914 (ref cnt 1) 
local:y.y.y.y, remote:x.x.x.x, IKEv1
Dec 17 19:53:10 iked_pm_p1_sa_destroy:  p1 sa 4999914 (ref cnt 0), 
waiting_for_del 0x0
Dec 17 19:53:10 Reducing number of connection for ike gateway IKE_DYN_GW 
to 0
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 2
Dec 17 19:53:10 ike_free_sa: Start


Le 17/12/2012 19:19, Jeroen J.A.W. Hermans a écrit :
> Hi Matthew,
>
> No problem. I understand that sometimes people have other things to do 
> than helping me :)
> I did disable the DPD, but that did not help at all. I basically 
> disabled everything that was "fancy" in any way. In my previous mail i 
> already described that the SRX series of Juniper have NO debugging 
> whatsoever. The NS25 nicely said: negotiations failed because xxxxx, 
> but this device does not even tell me whether P1 or P2 has been the 
> problem.
> My guess is that Juniper has implemented some kind of keep alive in 
> the Juniper Pulse software that is not implemented in Shrew. I did not 
> have the time to debug any further as this was a live system. The only 
> solution was to buy licenses for the Pulse client :(
> But if you figure this one out, i am very much interested.
> Kind regards,
>
> Jeroen Hermans
>
> On 17-12-2012 19:06, Matthew Grooms wrote:
>> Jeron and Gregory,
>>
>> Sorry for the lack of response in May. There was a long stretch of 
>> time where my schedule was so constricted that I just wasn't able to 
>> answer questions on the list. I hope to do much better in the future. 
>> Many, many thanks to the regular list members who have been doing an 
>> amazing job by answering questions and providing collaborative 
>> support to the mailing list.
>>
>> With that said, did either of you try to disable DPD on the client 
>> side to see if it allowed the connection to last more than a minute? 
>> Also, is there an error message displayed in the gateway log that 
>> offers some explanation as to why the client gets disconnected?
>>
>> Thanks,
>>
>> -Matthew
>>
>> On 12/17/2012 5:46 AM, Jeroen J.A.W. Hermans wrote:
>>> Hello all,
>>>
>>> I am the person asking this question in May 2012. Unfortunally i did 
>>> not
>>> resolve the question and i bought the Juniper Pulse client licenses.
>>> That seems to work, but i have no idea why Shrewsoft is not working.
>>> Btw: i would never buy an SRX again. The debugging is, well.. none
>>> existent. And my Juniper SRX210 has been rooted through the SSH server.
>>> Juniper's advise was to disable all external management, which of 
>>> course
>>> is not an option. Really really poor job Juniper! I really liked the
>>> NS25. Next time i will buy two Draytek routers and use them in a high
>>> availability configuration. That saves me a lot of pain and money.
>>> Sorry for the rant, but especially the SSH vulnerability is important
>>> for all you guys. IF someone finds a solution for Shrew + SRX, i am
>>> still very interested!
>>> Kind regards,
>>>
>>>          Jeroen Hermans
>>>
>>
>




More information about the vpn-help mailing list