SRX

Expand all | Collapse all

IPSEC tunnel flapping

  • 1.  IPSEC tunnel flapping

    Posted 06-28-2018 03:10
      |   view attached

    Hi,

    suddenly my ipsec tunnel st interface flapping and i have also checked with disabling vpn monitor from remote end but still issue not resolved. Also check with activate/deactivate tunnel interfaces.

    logs are attached:

     

    Attachment(s)

    txt
    ipsec logs.txt   6 K 1 version


  • 2.  RE: IPSEC tunnel flapping

    Posted 06-28-2018 03:49

    Hi,

    As per the log, the tunnel went down because SRX received delete SA notification message from the peer. You may have to check at peer side for possible reasons:

    Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared

     



  • 3.  RE: IPSEC tunnel flapping

     
    Posted 06-28-2018 03:54

    Hello,

     

    What is the peer device?

    Are proxy-ids configured on both sides mirror images of each other?

     

    Regards,

     

    Rushi



  • 4.  RE: IPSEC tunnel flapping

    Posted 06-28-2018 04:16

    remote site logs are also shared below:

     
    Jun 28 17:23:20   rpd[1398]: EVENT <UpDown> st0.0 index 79 <Broadcast PointToPoint Multicast>
    Jun 28 17:23:20   kmd[1403]: KMD_VPN_DOWN_ALARM_USER: VPN VPN-SOORTY from 123.123.123.123 is down. Local-ip: 50.50.50.50, gateway name: gw-soortybd, vpn name: VPN-SOORTY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 10.115.10.2, Local IKE-ID: 50.50.50.50, Remote IKE-ID: 123.123.123.123, XAUTH username: Not-Applicable, VR id: 0
    Jun 28 17:23:20   rpd[1398]: EVENT UpDown st0.0 index 79 <Broadcast PointToPoint Multicast Localup>
    Jun 28 17:23:20   rpd[1398]: EVENT UpDown st0.0 index 79 10.115.10.1 -> 10.115.10.1 <Broadcast PointToPoint Multicast Localup>
    Jun 28 17:23:20    IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"
    Jun 28 17:23:20    IFP trace> ifp_ifl_chg: IFL chg: "st0.0 ifl_id 79"
    Jun 28 17:23:20    IFP trace> ifp_create_tunnel_session: duplicate tunnel session add(st0). skip tunnel session creation
    Jun 28 17:23:20   mib2d[1426]: SNMP_TRAP_LINK_DOWN: ifIndex 584, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.0
    Jun 28 17:23:35   rpd[1398]: EVENT <UpDown> st0.0 index 79 <Up Broadcast PointToPoint Multicast>
    Jun 28 17:23:35   kmd[1403]: KMD_PM_SA_ESTABLISHED: Local gateway: 50.50.50.50, Remote gateway: 123.123.123.123, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x9e4d39d0, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
    Jun 28 17:23:35   rpd[1398]: EVENT UpDown st0.0 index 79 <Up Broadcast PointToPoint Multicast>
    Jun 28 17:23:35   kmd[1403]: KMD_PM_SA_ESTABLISHED: Local gateway: 50.50.50.50, Remote gateway: 123.123.123.123, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0xabfd4940, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
    Jun 28 17:23:35   rpd[1398]: EVENT UpDown st0.0 index 79 10.115.10.1 -> 10.115.10.1 <Up Broadcast PointToPoint Multicast>
    Jun 28 17:23:35   kmd[1403]: KMD_VPN_UP_ALARM_USER: VPN VPN-SOORTY from 123.123.123.123 is up. Local-ip: 50.50.50.50, gateway name: gw-soortybd, vpn name: VPN-SOORTY, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 10.115.10.2, Local IKE-ID: 50.50.50.50, Remote IKE-ID: 123.123.123.123, XAUTH username: Not-Applicable, VR id: 0
    Jun 28 17:23:35    IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"
    Jun 28 17:23:35    IFP trace> ifp_ifl_chg: IFL chg: "st0.0 ifl_id 79"
    Jun 28 17:23:35    IFP trace> ifp_create_tunnel_session: duplicate tunnel session add(st0). skip tunnel session creation
    Jun 28 17:23:35   mib2d[1426]: SNMP_TRAP_LINK_UP: ifIndex 584, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0


  • 5.  RE: IPSEC tunnel flapping

    Posted 06-28-2018 04:38

    Hi,

    I think the logs are manipulated. Peer IPs are different in both logs. One side tunnel is showing Static type and other side it is dyamic.

    If possible, share VPN config from both sides.

     



  • 6.  RE: IPSEC tunnel flapping

    Posted 06-28-2018 05:00
      |   view attached

    config attached. if you need complete config so please share me email id so i will share you seperately.

     

    thanks

    Attachment(s)

    txt
    ipsec config.txt   1 K 1 version