Re: The VPN is up, but I have no access on servers

Hello, bruno300!

I hope you're having a great week.Thanks for posting so much helpful information. I have a few recommendations. 

First, run a continous ping to a server on the other side then run the following commands... I noted your ping has no source. Do you know what IP the SRX is sourcing the request from? You should attempt setting an explicit soure on the 192.168.4.0/23 network, such as a local interface within that network.

Have you validated that you're seeing proper encaps and decaps on the tunnel?

Identify the index for the tunnel you're troubleshooting. 

show security ipsec security-associations brief

Use the index to check the tunnel statistics.

show security ipsec statistics index 131073
ESP Statistics:
 Encrypted bytes: 153876
 Decrypted bytes: 116316
 Encrypted packets: 887
 Decrypted packets: 1139
AH Statistics:
 Input bytes: 0
 Output bytes: 0
 Input packets: 0
 Output packets: 0
Errors:
 AH authentication failures: 0, Replay errors: 0
 ESP authentication failures: 0, ESP decryption failures: 0
 Bad headers: 0, Bad trailers: 0

 Validate the Encrypted packets and Decrypted packets counters are incrementing together. Unfortunately, this can be less than reliable if you have other traffic over the tunnel. 

Alternatively, setup flow traceoptions and upload the output here. Along with this, please verify the source and destination IP addresses. This will allow us to validate the packet is matching all proper policies, NATs, etc, and validate the VPN is handling it properly. Instructions for flow traceoptions are below.

Configure the following and commit.

set security flow traceoptions file tshoot-flow
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter PF1 source-prefix <source IP/netmask>
set security flow traceoptions packet-filter PF1 destination-prefix <dest IP/netmask>
set security flow traceoptions packet-filter PF2 source-prefix <destination IP/netmask>
set security flow traceoptions packet-filter PF2 destination-prefix <source IP/netmask)

Start a ping and periodically check the flow file with the following command:

show log tshoot-flow

 If populated, disable the traceoption and upload the flow file here.

Thanks so much!