Re: SRX345 VPN issues with Cisco SA520W

Hi epaniagua,

I have added the following config: 

set security ipsec vpn ike-vpn-BON vpn-monitor optimized
set security ipsec vpn ike-vpn-BON vpn-monitor source-interface irb.2
set security ipsec vpn ike-vpn-BON vpn-monitor destination-ip 192.168.7.254

But traffic is still not passing. Although after following the KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=METADATA, everything seems to check out, even flow sessions:

setarnoc@WEMA_DLI99046_Router> show security flow session source-prefix 192.168.1.0/24 destination-prefix 192.168.7.0/24
Session ID: 65074, Policy name: BON_VPN_OUT/15, Timeout: 22, Valid
In: 192.168.1.66/50398 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 486,
Out: 192.168.7.10/389 --> 192.168.1.66/50398;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 68168, Policy name: BON_VPN_OUT/15, Timeout: 38, Valid
In: 192.168.1.66/64423 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 400,
Out: 192.168.7.10/389 --> 192.168.1.66/64423;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 75386, Policy name: BON_VPN_OUT/15, Timeout: 22, Valid
In: 192.168.1.66/50397 --> 192.168.7.10/389;udp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 400,
Out: 192.168.7.10/389 --> 192.168.1.66/50397;udp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 76158, Policy name: BON_VPN_OUT/15, Timeout: 2, Valid
In: 192.168.1.13/56520 --> 192.168.7.171/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.171/5060 --> 192.168.1.13/56520;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 76465, Policy name: BON_VPN_OUT/15, Timeout: 8, Valid
In: 192.168.1.13/56522 --> 192.168.7.172/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.172/5060 --> 192.168.1.13/56522;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

Session ID: 76676, Policy name: BON_VPN_OUT/15, Timeout: 14, Valid
In: 192.168.1.13/56525 --> 192.168.7.173/5060;tcp, Conn Tag: 0x0, If: irb.2, Pkts: 2, Bytes: 104,
Out: 192.168.7.173/5060 --> 192.168.1.13/56525;tcp, Conn Tag: 0x0, If: st0.0, Pkts: 0, Bytes: 0,

One thing I noticed is that I don't see any Out Pkts/Bytes in the flow sessions. Normal?

Afterwards I tried using traffic-selectors, however it would not commit while VPN Monitoring is enabled, so I deleted monitoring and used traffic-selectors instead. I also removed the static route from the routing-options.

However I still get same results. I do see the route added to the routing-table:

setarnoc@WEMA_DLI99046_Router> show route 192.168.7.254

inet.0: 63 destinations, 63 routes (63 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.7.0/24 *[Static/5] 00:01:30
> via st0.0

I'm beginning to think the issue might be with the ASA at the other end?