Hi guys,
New to this forum, so forgive me if I placed in wrong topic my issue.
The issue: I have an Openvpn server behind SRX with static nat. Everything works ok after the successful connection of openvpn client to the openvpn server but after a while (randomly 1~5 h) without any reason connection goes down.
Checked the openvpn server config and everything looks ok.
The topology:
I have an Openvpn Server behind my SRX 550 which is nated (statically).
A routing based policy with load balance for my reth interfaces (is not applied in openvpn interface)
I have configured my SRX to static nat the openvpn server to 1 public ip from our /28 block of Ips (reth2.150) and added proxy-arp for ISP requests since this ip is not the public interface of my SRX
Reth2.150 is my ISP's leased line interface. /28 block of ips.
Reth2.110 is my DMZ Wan gw for my OpenVpn internal ip.
Openvpn ip 10.0.110.11
Debug: After a tcpdump in both ways (client server) and on SRX I noticed the below when the connection of Openvpn went down. (same time for client/server)
May 27 17:55:14 17:55:14.397463:CID-1:RT:<10.0.110.11/1201->x.x.x.x/1194;17> matched filter PF2: May 27 17:55:14 17:55:14.397463:CID-1:RT:packet [112] ipid = 20559, @0x41d314ac May 27 17:55:14 17:55:14.397463:CID-1:RT:---- flow_process_pkt: (thd 5): flow_ctxt type 15, common flag 0x0, mbuf 0x41d31280, rtbl_idx = 20 May 27 17:55:14 17:55:14.397463:CID-1:RT: flow process pak fast ifl 98 in_ifp reth2.110 May 27 17:55:14 17:55:14.397463:CID-1:RT: find flow: table 0x528ce8a8, hash 10400(0xffff), sa 10.0.110.11, da x.x.x.x, sp 1201, dp 1194, proto 17, tok 45 May 27 17:55:14 17:55:14.397463:CID-1:RT: flow got session. May 27 17:55:14 17:55:14.397463:CID-1:RT: flow fast tcp/udp session id 215478 May 27 17:55:14 17:55:14.397463:CID-1:RT:flow_ipv4_rt_lkup success x.x.x.x, iifl 0x0, oifl 0x10a May 27 17:55:14 17:55:14.397463:CID-1:RT: handle reroute for tunnel 0 May 27 17:55:14 17:55:14.397576:CID-1:RT:new output if pp0.3May 27 17:55:14 17:55:14.397576:CID-1:RT:flow_ipv4_rt_lkup_reroute: session 0xf6000349b6 c2s if reth2.150 -> pp0.3 May 27 17:55:14 17:55:14.397576:CID-1:RT: refreshing session May 27 17:55:14 17:55:14.397576:CID-1:RT: vector bits 0x1020 vector 0x4b466ab8 May 27 17:55:14 17:55:14.397576:CID-1:RT: vsd 1 is active May 27 17:55:14 17:55:14.397576:CID-1:RT:mbuf 0x41d31280, exit nh 0xe20010 May 27 17:55:14 17:55:14.397576:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
As you can see it changes the outbound interface. (reth2.150 is the incoming correct interface where openvpn accepts requests and should forward them back, where pp0.3 is an active interface (ppoe) that serves for Load-Balance which is member on rib-group in routing-options for PBR)
**The same happened with other openvpn client and SRX rerouted traffic from pp0.4 (is also member of load balance rib-group
I will post the configs in order to tell me if I am missing something.
Interface DMZ-WAN (openvpn server IP)
show interfaces reth2.110
description DMZ-ZONE;
vlan-id 110;
family inet {
address 10.0.110.1/24;
}Interface for my Internet (one of them/ leased line)
# show interfaces reth2.150
description "*** FIBER FOR EMPL ***";
vlan-id 150;
family inet {
address x.x.x.x/28 {
primary;
}
address x.x.x.y/28;
}Static Nat for Openvpn Server
show security nat static
from zone ISP_ALL_EMPL;
rule Openvpn-fiber match { destination-address x.x.x.x/32; } then { static-nat { prefix { 10.0.110.11/32; } } }
Proxy arp for this IP for arp requests from my ISP
show security nat proxy-arp
interface reth2.150 {
address {
x.x.x.x/32;
y.y.y.y/32;show security policies from-zone ISP_ALL_EMPL to-zone DMZ
policy VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}I am not posting my routing-options config as I think that SRX don't want to check since we have static nat.
Please I need your help to fix this issue! I cannot find any wrong.
If you need more config files please let me know
Thank you in advance
Dimi,
CCNA-CCNP-JNCIA-MCSA