Hi everyone :
Today, SRX650[12.1X46-D40.2] firewall configuration Qos and limit bandwidth for vpn. commit configuration, find,all vpn gateway state is down.rollback configuration, Main mode, vpn up.aggressive mode,vpn down.Configuration command "no-nat-traversal",aggressive mode,VPN returned to normal, but the business address is not. delete "no-nat-t",vpn down。
Qos configuration:
root@srx-01# show interfaces reth1 | display set
set interfaces reth1 per-unit-scheduler
set interfaces reth1 unit 100 family inet filter output TRE
set interfaces reth1 unit 100 family inet address 100.100.100.1/24
set class-of-service virtual-channels TR-100m
set class-of-service virtual-channels IN-10m
set class-of-service virtual-channel-groups TRE TR-100m scheduler-map TR-100m
set class-of-service virtual-channel-groups TRE TR-100m shaping-rate 100m
set class-of-service virtual-channel-groups TRE IN-10m scheduler-map IN-10m
set class-of-service virtual-channel-groups TRE IN-10m shaping-rate 10m
set class-of-service virtual-channel-groups TRE IN-10m default
set class-of-service interfaces reth1 unit 100 virtual-channel-group TRE
set class-of-service interfaces reth1 unit 100 rewrite-rules inet-precedence default
set class-of-service scheduler-maps TR-100m forwarding-class expedited-forwarding scheduler TR-100m
set class-of-service scheduler-maps IN-10m forwarding-class assured-forwarding scheduler IN-10m
set class-of-service schedulers TR-100m shaping-rate 100m
set class-of-service schedulers IN-10m shaping-rate 10m
set firewall family inet filter TRE term 1 from destination-address 100.100.100.2/32
set firewall family inet filter TRE term 1 from protocol esp
set firewall family inet filter TRE term 1 then virtual-channel TR-100m
set firewall family inet filter TRE term 1 then accept
set firewall family inet filter TRE term 2 then virtual-channel IN-10m
set firewall family inet filter TRE term 2 then accept
So far,VPN is normal, but the business address can not be normal communication,delete NAT-T.VPN will be interrupted, the tunnel interface down.Why ?
show security flow session: In a session that is sent out, there is no incoming conversation.
.1. What is the connection between the aggressive mode and the NAT traversal?
2. Qos affected the establishment of VPN? [Another site is normal, the same configuration]
When the NAT configuration is removed, the log is shown below:
ike_st_o_private: Start
Construction NHTB payload for local:X.X.X.X, remote:X.X.X.X IKEv1 P1 SA index 11282220 sa-cfg VPN-Bank_GZNongShang
Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg VPN-Bank_GZNongShang, p1_sa=11282220
ike_policy_reply_private_payload_out: Start
ike_st_o_encrypt: Marking encryption for packet
ike_encode_packet: Start, SA = { 0x88d97030 3e707be3 - 34381a74 90e4160c } / 7e5ba586, nego = 0
ike_finalize_qm_hash_1: Hash[0..20] = 3d16970e ee814f27 ...
ike_send_packet: Start, send SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500, routing table id = 0
ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_send_packet: Start, retransmit previous packet SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0, dst = X.X.X.X:4500 routing table id = 0
ike_retransmit_callback: Start, retransmit SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_retransmit_callback: Isakmp query retry limit reached, deleting<none>:500 (Initiator) <-> X.X.X.X:4500 { 88d97030 3e707be3 - 34381a74 90e4160c [0] / 0x7e5ba586 } QM; Error = Timeout (8197)
ike_send_notify: Private notification, do not send notification
ike_delete_negotiation: Start, SA = { 88d97030 3e707be3 - 34381a74 90e4160c}, nego = 0
ike_free_negotiation_qm: Start, nego = 0
ike_free_negotiation: Start, nego = 0
ike_free_id_payload: Start, id type = 4
ike_free_id_payload: Start, id type = 1
IPSec negotiation failed for SA-CFG VPN-Bank_GZNongShang for local:X.X.X.X, remote:X.X.X.X IKEv1. status: Timed out
P2 ed info: flags 0x8c2, P2 error: Error ok
iked_pm_check_p2_failure_num: Phase2 failed 1/3 times for P1 SA 11282220
IKEv1 Error : Timeout
ssh_ike_connect: Start, remote_name = X.X.X.X:500, xchg = 4, flags = 00040000
ike_sa_allocate: Start, SA = { ff57fda1 10f2c29c - 00000000 00000000 }
ike_init_isakmp_sa: Start, remote = X.X.X.X:500, initiator = 1
ssh_ike_connect: SA = { ff57fda1 10f2c29c - 00000000 00000000}, nego = -1thanks very much !