This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 74%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Having issues with a LAN-2-LAN setup with Juniper SRX. Getting zero response from the VPN Gateway.
Checked everything multiple times:
[Jun 3 21:41:24]ikev2_udp_send_packet: [104d800/10ac800] <-------- Sending packet - length = 346 VR id 0
[Jun 3 21:41:34]ikev2_udp_send_packet: [104d800/10ac800] <-------- Sending packet - length = 346 VR id 0
[Jun 3 21:41:44]ikev2_udp_send_packet: [104d800/10ac800] <-------- Sending packet - length = 346 VR id 0
[Jun 3 21:41:54]P1 SA 3213912 timer expiry. ref cnt 2, timer reason Force delete timer expired (1), flags 0x0.
[Jun 3 21:41:54]Initiate IKE P1 SA 3213912 delete. curr ref count 2, del flags 0x3. Reason: Internal Error: Unknown event (0)
[Jun 3 21:41:54]IKE SA delete called for p1 sa 3213912 (ref cnt 3) local:x.x.x.x, remote:20.211.21.170, IKEv2
[Jun 3 21:41:54]Freeing all P2 SAs for IKEv2 p1 SA 3213912
[Jun 3 21:41:54]P1 SA 3213912 reference count is not zero (1). Delaying deletion of SA
[Jun 3 21:41:54]iked_pm_p1_sa_destroy: p1 sa 3213912 (ref cnt 0), waiting_for_del 0x10c3600
[Jun 3 21:41:54]iked_pm_ike_sa_delete_done_cb: For null p1 sa, status: Error ok
[Jun 3 21:41:54]iked_deferred_free_inactive_peer_entry: Free 1 peer_entry(s)
[Jun 3 21:41:54]ssh_ikev2_ipsec_send: Creating IKE and IPsec SA 20.211.21.170;500
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello @Ignat , Welcome to the Microsoft Q&A forum. If I understand it correctly you have trying to set-up an Azure Site-Site VPN where you are using the Juniper SRX as your on-prem device.
If my understanding above is correct. Can you please confirm what kind of S2S VPN you are using route-based or policy-based?
As documented here Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy.
This table here contains the combinations of algorithms and parameters Azure VPN gateways use in default configuration (Default policies).
Alternatively, you can also perform a packet capture at your Azure VPN gateway which can help narrow down the issue.
Is there any way to do a ping from the Gateway to confirm connectivity to my public IP ?
Well, you can run a psping command from azure....
Please try to share this...
show security ike security-associations
show security ike security-associations index XY detail
Also, Did you run trace options on the SRX?
Cheers,