Always Geeky | Juniper SRX

SRX VPN Phase-1 negotiation failed with error Timeout

If your phase 1 negotiation is timing out from your SRX, it may be due to lack of IKE setting on the host-inbound-traffic setting.

Here is a typical error:
Jan 01 12:00:00 Phase-1 negotiation failed with error Timeout for p1_local=ipv4( udp:500,[0..3]=192.0.2.1) p1_remote=ipv4(udp:500,[0..3]=198.51.100.1)

A broken config will look like this – notice the lack of IKE.

root@srx> show configuration security
security {
        security-zone untrust {
            address-book {
                address 10.0.0.0/24 10.0.0.0/24;
                address 10.0.1.0/24 10.0.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                }
            }
            interfaces {
                fe-0/0/2.0;
                st0.0;
            }
        }
    }

Note the lack of IKE on host-inbound-traffic. Here is how you fix it.

root@srx# set security security-zone untrust host-inbound-traffic system-services ike

Here is the update config

root@srx> show configuration security
security {
        security-zone untrust {
            address-book {
                address 10.0.0.0/24 10.0.0.0/24;
                address 10.0.1.0/24 10.0.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    ike;
                }
            }
            interfaces {
                fe-0/0/2.0;
                st0.0;
            }
        }
    }

SRX cluster SSH/HTTPS access to secondary fails

Posted on October 21, 2012 12:51 pm by scott Comment

A Juniper SRX cluster configuration does not allow access to the secondary device, even by out-of-band management, but default. This is expected behaviour, as the non-primary device in a cluster will not start the router process. So, unless your out-of-band management gives you access from the same layer 2 network, the secondary SRX will not respond to SSH/HTTPS

To resolve this, you need set a backup-router. A backup-router is a static route which is active before the routing engine starts. Typically, this is useful while the SRX is booting, as it allows BOOTSTRAP or PXE based boots, but presents a problem in cluster.

root@srx-secondary> show route error: the routing subsystem is not running

Fix this problem, with the following command:
set groups node1 system backup-router 172.29.0.1 destination 0.0.0.0/0
This will appear in the groups configuration as such:

node0 {
    system {
        host-name srx-primary;
    }
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 172.29.0.100/24;
                }
            }
        }
    }
}

node1 {
    system {
        host-name srx-secondary;
        backup-router 172.29.0.1 destination 0.0.0.0/0;
    }
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 172.29.0.101/24
                }
            }
        }
    }
}

You will now have SSH/HTTPS access to your secondary device. It is a good idea to also add a backup-router to the primary device, in case the router daemon on the primary crashes or fails.

This entry was posted in Juniper SRX and tagged backup-router, HTTPS, out of band, routing daemon, SSH. Bookmark the permalink.