Hello Matthew,
Thanks for the quick answer !
I tried to disable DPD as well as configuring it on the SRX/Client, but
that dind't work...
You will find below the part of the SRX log when the client get
disconnected. Client get disconnected @19:53:10
This is actually the same output as the unsolved thread :
http://forums.juniper.net/t5/SRX-Services-Gateway/quot-session-terminated-by-gateway-quot-when-using-Shrew-client/td-p/146382
Strange thing though, if i disable NAT-T on client side, the tunnel
stays up ! Of course the traffic is not going through but the tunnel
stays alive !
If i select "Force-rfc" on the client the traffic goes through but same
issue (disconnect at 1 minute).
Hope thats helps !
Thanks,
Greg
Dec 17 19:52:30 ike_retransmit_callback: Start, retransmit SA = {
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:52:30 ike_send_packet: Start, retransmit previous packet SA =
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370
routing table id = 0
Dec 17 19:52:40 ike_retransmit_callback: Start, retransmit SA = {
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:52:40 ike_send_packet: Start, retransmit previous packet SA =
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370
routing table id = 0
Dec 17 19:52:50 ike_retransmit_callback: Start, retransmit SA = {
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:52:50 ike_send_packet: Start, retransmit previous packet SA =
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370
routing table id = 0
Dec 17 19:53:00 ike_retransmit_callback: Start, retransmit SA = {
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:00 ike_send_packet: Start, retransmit previous packet SA =
{ 7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370
routing table id = 0
Dec 17 19:53:10 ike_retransmit_callback: Start, retransmit SA = {
7afff86f ed1dec02 - 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:10 ike_retransmit_callback: Isakmp query retry limit
reached, deleting
Dec 17 19:53:10 <none>:500 (Initiator) <-> x.x.x.x:1370 { 7afff86f
ed1dec02 - 8adb783f 94cb567c [1] / 0xf84961ac } CFG; Error = Timeout (8197)
Dec 17 19:53:10 ike_send_notify: Private notification, do not send
notification
Dec 17 19:53:10 ike_delete_negotiation: Start, SA = { 7afff86f ed1dec02
- 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:10 ike_free_negotiation_cfg: Start, nego = 1
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 1
Dec 17 19:53:10 iked_pm_ike_sa_delete_notify_done_cb: For p1 sa index
4999914, ref cnt 2, status: Error ok
Dec 17 19:53:10 ike_expire_callback: Start, expire SA = { 7afff86f
ed1dec02 - 8adb783f 94cb567c}, nego = -1
Dec 17 19:53:10 ike_alloc_negotiation: Start, SA = { 7afff86f ed1dec02 -
8adb783f 94cb567c}
Dec 17 19:53:10 ike_encode_packet: Start, SA = { 0x7afff86f ed1dec02 -
8adb783f 94cb567c } / 65e8123a, nego = 1
Dec 17 19:53:10 ike_send_packet: Start, send SA = { 7afff86f ed1dec02 -
8adb783f 94cb567c}, nego = 1, dst = x.x.x.x:1370, routing table id = 0
Dec 17 19:53:10 ike_delete_negotiation: Start, SA = { 7afff86f ed1dec02
- 8adb783f 94cb567c}, nego = 1
Dec 17 19:53:10 ike_free_negotiation_info: Start, nego = 1
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 1
Dec 17 19:53:10 ike_remove_callback: Start, delete SA = { 7afff86f
ed1dec02 - 8adb783f 94cb567c}, nego = -1
Dec 17 19:53:10 ike_delete_negotiation: Start, SA = { 7afff86f ed1dec02
- 8adb783f 94cb567c}, nego = -1
Dec 17 19:53:10 ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0
from IKE tunnel table
Dec 17 19:53:10 ssh_ike_tunnel_table_entry_delete: The tunnel id: 0
doesn't exist in IKE tunnel table
Dec 17 19:53:10 ike_sa_delete: Start, SA = { 7afff86f ed1dec02 -
8adb783f 94cb567c }
Dec 17 19:53:10 ike_free_negotiation_cfg: Start, nego = 0
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 0
Dec 17 19:53:10 ike_free_negotiation_qm: Start, nego = 2
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 2
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_negotiation_qm: Start, nego = 3
Dec 17 19:53:10 ike_free_negotiation: Start, nego = 3
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 4
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_negotiation_isakmp: Start, nego = -1
Dec 17 19:53:10 ike_free_negotiation: Start, nego = -1
Dec 17 19:53:10 IKE SA delete called for p1 sa 4999914 (ref cnt 1)
local:y.y.y.y, remote:x.x.x.x, IKEv1
Dec 17 19:53:10 iked_pm_p1_sa_destroy: p1 sa 4999914 (ref cnt 0),
waiting_for_del 0x0
Dec 17 19:53:10 Reducing number of connection for ike gateway IKE_DYN_GW
to 0
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 1
Dec 17 19:53:10 ike_free_id_payload: Start, id type = 2
Dec 17 19:53:10 ike_free_sa: Start
Le 17/12/2012 19:19, Jeroen J.A.W. Hermans a écrit :
Hi Matthew,
No problem. I understand that sometimes people have other things to do
than helping me :)
I did disable the DPD, but that did not help at all. I basically
disabled everything that was "fancy" in any way. In my previous mail i
already described that the SRX series of Juniper have NO debugging
whatsoever. The NS25 nicely said: negotiations failed because xxxxx,
but this device does not even tell me whether P1 or P2 has been the
problem.
My guess is that Juniper has implemented some kind of keep alive in
the Juniper Pulse software that is not implemented in Shrew. I did not
have the time to debug any further as this was a live system. The only
solution was to buy licenses for the Pulse client :(
But if you figure this one out, i am very much interested.
Kind regards,
Jeroen Hermans
On 17-12-2012 19:06, Matthew Grooms wrote:
Jeron and Gregory,
Sorry for the lack of response in May. There was a long stretch of
time where my schedule was so constricted that I just wasn't able to
answer questions on the list. I hope to do much better in the future.
Many, many thanks to the regular list members who have been doing an
amazing job by answering questions and providing collaborative
support to the mailing list.
With that said, did either of you try to disable DPD on the client
side to see if it allowed the connection to last more than a minute?
Also, is there an error message displayed in the gateway log that
offers some explanation as to why the client gets disconnected?
Thanks,
-Matthew
On 12/17/2012 5:46 AM, Jeroen J.A.W. Hermans wrote:
Hello all,
I am the person asking this question in May 2012. Unfortunally i did
not
resolve the question and i bought the Juniper Pulse client licenses.
That seems to work, but i have no idea why Shrewsoft is not working.
Btw: i would never buy an SRX again. The debugging is, well.. none
existent. And my Juniper SRX210 has been rooted through the SSH server.
Juniper's advise was to disable all external management, which of
course
is not an option. Really really poor job Juniper! I really liked the
NS25. Next time i will buy two Draytek routers and use them in a high
availability configuration. That saves me a lot of pain and money.
Sorry for the rant, but especially the SSH vulnerability is important
for all you guys. IF someone finds a solution for Shrew + SRX, i am
still very interested!
Kind regards,
Jeroen Hermans
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
