The passive node should only accept traffic addressed to the mgmt ip addresses on the device. If you are sure the policy counts are incrementing while the device is passive, I would start by running through this test procedure.
this will verify that the configuration and RTO sync on your devices and that failover occures correctly. And will help identify any errors.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB9810
Running Wireshark shows the following : 
It has got only Client sending packets, what is coming from server? Can you attach the whole pcap file during the issue?
BR,
Vikas
Error Code:
Error Text:
Exception caught during Update Device:
Device has returned an Error. The file might be invalid one. Return value: -4904
Error Details:
No Details Available.
Any one experienced any issue related to nsrp, in which backup firewall countinously getting the bgp idle message logs and keep on refereshing the dns entries. The firewall in question is acting as backup in nsrp.
Error Screenshot attached..
IDP files version:
detector2.so 3.5.141421
engine 3.4.139311
pcid 3.4.139311
scio 3.4.139311
get chassis
Chassis Environment:
Power Supply: Good
Fan Status: Good
CPU Temperature: 118'F ( 48'C)
Slot Information:
Slot Type S/N Assembly-No Version Temperature
0 System Board 0079102011000062 0051-005 F07 89'F (32'C), 102'F (39'C)
4 Management 0252112011000022 0049-004 D19 118'F (48'C)
1 Security 0137012012000076 0067-002 B05 cpu1:Ready, cpu2:Ready
2 Security 0137102011000008 0067-002 B05 cpu1:Ready, cpu2:Ready
3 Security 0137022012000027 0067-002 B05 cpu1:Ready, cpu2:Ready
5 ASIC Board 002321647l110014 0051-005 C03
Marin FPGA version 9, Jupiter ASIC version 1, Fresno FPGA version 110
I/O Board
Slot Type S/N Version FPGA version
1 2 port mini GBIC (0x5) 0141042007000208 C00 8
2 2 port mini GBIC (0x5) 0141032007000203 C00 8
Alarm Control Information:
Power failure audible alarm: disabled
Fan failure audible alarm: disabled
Low battery audible alarm: disabled
Temperature audible alarm: disabled
Normal alarm temperature is 132'F (56'C)
Severe alarm temperature is 150'F (66'C)
This is normal behavior.
I am also facing some what similar issue, in which seeing BGP state change and DNS connection messages are generated from backup firewall and getting failed.
But since the interfaces are in down state so why the firewall is generating the bgp message of going to IDLE state and actual status of bgp is in ACTIVE.
Similar to the DNS query why an backup one is trying to have a connection to the DNS server, when that should be done from the active firewal.
Similar is not done by other pair of the firewalls.
For the DNS entries, the firewall cannot have a policy that does not contain an IP address, and the DNS host cache does not sync between the two devices. As such, each device must do their own DNS query. They use the manage-ip for the queries.
As for the BGP issue, this is outlined in https://kb.juniper.net/InfoCenter/index?page=content&id=KB22836
This kb describes the issue, you will need to identify which attack objects are not compatible with your platform and edit the rules accordingly.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB9290
I have run into a brick wall trying to setup an IPSEC site2site VPN with a Juniper ISG 1000 on one end and a Cisco router on the other. What makes this configuration even more complicated is that I don't have access to the other side and there is a need to SNAT on the Juniper.
To try and understand the Juniper VPN configuration I have been trying to setup a VPN tunnel between the Juniper device and my Cisco ASA sitting at my house. Here are the settings that I have in the Juniper right now:
Juniper Configuration:
ethernet 2/3 (Untrust) = 1.1.1.1/24
loopback.5 = 2.2.2.2/32, routed, admin status up
tunnel.6 = zone: untrust, unnumbered, loopback.5 (trust-vr)
Gateway (test 1) = 3.3.3.3, outgoing interface: ethernet 2/3, psk=test, local ID: 2.2.2.2
AutoKey (test) = remote gateway: test 1, bind to: tunnel.6, vpn monitor enabled
Proxy ID = source: 5.5.5.0/24, destination: 6.6.6.0/24
At this point I would expect to see phase 1 trying to attempt to make a connection to the ASA but there is nothing. This makes me beleive there is something else that I'm missing because it appears that the Juniper isn't trying to initiate the connection. It's my understanding that the VPN monitor being enabled should bring this up right away, am I wrong?
Any help would be greatly appreciated.
1: Do you have route configured to point the traffic to the tunnel interface? other routes are in place?
2: 'get event' should show the vpn related event, whether device tried to initiate IKE packets or not etc.
3: Check the KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB14330&actp=search about how to set up S2S based VPN.
4: If everything is in place then monitor should force device to initiate the IKE packets.
Thanks,
Vikas
Hi
Error is related to invalid file
Device has returned an Error. The file might be invalid one. Return value: -4904
Please attached Error Screenshot for exact issue
Regards,
Prem
1. I do have a route that point to the tunnel.6 interface
2. 'get event' returns nothing regarding the VPN tunnel
3. I pretty much followed these instructions with the exeption of step 1.4 I used a loopback interface instead of the physical interface to the Internet
4. I see no IKE traffic being initiated from the Juniper device
When I was testing in my lab with a vsrx I had to run a command to change a security policy to permit IKE??? Does this apply on this device as well?
1. The IKE gateway should be bound to loopback and not the physical IF
2. The physical IF and loopback should be in the same zone
Also, enable 'rekey' along with monitoring.
Changing it to the loopback interface and setting the rekey option does force the tunnel to initiate. Unfortunately now I'm working through another problem. I'm getting this on my Cisco device logs:
duplicate first packet detected. ignoring packet
So... to troubleshoot we took out the switch that runs from the firewall to the wireless router and connectivity has returned to normal and has been stable for almost 3 days.
We surmise that someone made a config change to the original switch.
Alright, so here it goes:
I nailed up a simple lab environment, after a few attempts of failing, and now successfully have a functional Route-based IPSEC Tunnel between an SRX100B and SSG5. The code on the SSG5 is latest release, and the SRX isn't that far behind either.
Now that I've conquered such, I wanted to take it to the next level and incorporate dynamic routing, namely OSPF, by creating about 10 fictitious subnets on each side ---- using a single Area. (Yes, I just want to keep it simple for now).
The confusion is about GRE? I noticed in the following Juniper forum, someone recommended using a 2014 DayOne Cookbook, in which they clearly layout how to established OSPF over IPSEC between SRX and SSG5 (see Recipe #12 under "DAY ONE: JUNIPER AMBASSADORS’ COOKBOOK FOR 2014") ... but not once do they mention configuration of a GRE tunnel? Strange?? I'm finding highly subjective info around community between different vendors, and I want to get an authoritative answer on this if possible. As a caveat, I do prefer to run GRE to ensure OSPF is securely encapsulated ... I just want to understand the constraints entirely.
Secondly, I read that GRE over IPSEC is possible between SRX/SSG5, you just need to ensure that the GRE tunnel is created prior to the IPSEC tunnel, otherwise it may lead to connectivity issues. As defined here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB19954&actp=search
So I guess, in conclusion, what is the proper way to do this?
The IPSEC tunnel is currently alive and well betwen SRX100B and SSG5, disregard J series router in place of the SRX in the graphic below:
I'm the author of Recipe #12 in the 2014 Cookbook. I have not generally used gre over ipsec in recent years because I'm comfortable with the level of encryption security provided by current IPSEC tunneling. And thus I don't see the need to run the gre inside of this IPSEC encryption. So the basic layout presented in the book is one I've used for deploying OSPF over the internet IPSEC branch connections.
You can run GRE over IPSEC, I think you are reading the kb incorrectly. The error message about GRE coming first is a result of having the zone configuration for the GRE interface not match the IPSEC interface zone. I don't think they are suggesting running IPSEC over GRE but making the zone change to allow the GRE tunnel to come up over the IPSEC tunnel.