This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 74%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Having issues with a LAN-2-LAN setup with Juniper SRX. Getting zero response from the VPN Gateway.
Checked everything multiple times:
[Jun 3 21:41:24]ikev2_udp_send_packet: [104d800/10ac800] <-------- Sending packet - length = 346 VR id 0
[Jun 3 21:41:34]ikev2_udp_send_packet: [104d800/10ac800] <-------- Sending packet - length = 346 VR id 0
[Jun 3 21:41:44]ikev2_udp_send_packet: [104d800/10ac800] <-------- Sending packet - length = 346 VR id 0
[Jun 3 21:41:54]P1 SA 3213912 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[Jun 3 21:41:54]Initiate IKE P1 SA 3213912 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
[Jun 3 21:41:54]IKE SA delete called for p1 sa 3213912 (ref cnt 3) local:x.x.x.x, remote:20.211.21.170, IKEv2
[Jun 3 21:41:54]Freeing all P2 SAs for IKEv2 p1 SA 3213912
[Jun 3 21:41:54]P1 SA 3213912 reference count is not zero (1). Delaying deletion of SA
[Jun 3 21:41:54]iked_pm_p1_sa_destroy: p1 sa 3213912 (ref cnt 0), waiting_for_del 0x10c3600
[Jun 3 21:41:54]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[Jun 3 21:41:54]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[Jun 3 21:41:54]ssh_ikev2_ipsec_send: Creating IKE and IPsec SA 20.211.21.170;500
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello @Ignat , Welcome to the Microsoft Q&A forum. If I understand it correctly you have trying to set-up an Azure Site-Site VPN where you are using the Juniper SRX as your on-prem device.
If my understanding above is correct. Can you please confirm what kind of S2S VPN you are using route-based or policy-based?
As documented here Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy.
This table here contains the combinations of algorithms and parameters Azure VPN gateways use in default configuration (Default policies).
Alternatively, you can also perform a packet capture at your Azure VPN gateway which can help narrow down the issue.
I am using route-based and have checked all my proposal settings match the requirements.
As you can see in the above trace I am sending packets out and getting no response.
When doing a packet capture I get the following error:
Failed to stop packet capture on the Connection.
Failed to stop packet capture on the Connection 'Site-to-Site'. Error: An internal error occured. The response did not contain any data. Please check storage for the capture.
Looking at the details the VPN gateway has sent zero packets out and received zero, so im sure the issue is on the azure side
Please investigate
Hi @Ignat
I just wanted to ask few questions...
Since it is an SRX FW, I am wondering if you are doing a monitor traffic command on your ST interface(Secure interface)....
Are you running trace option for this?
Cheers,
The ST interface never comes up because the IKE process never completes.
Is there anything you need to do in the Azure side to enable to S2S VPN ?
The only other thing I can think of is there is a routing issue between me and the Azure gateway ..