SRX

Expand all | Collapse all

Session timeout SRX1500 to ISG2000

Jump to Best Answer
  • 1.  Session timeout SRX1500 to ISG2000

    Posted 02-21-2018 23:41

    Hello experts,

    We have a desing which involves the IPSec VPN between the SRX1500 firewall and Juniper Netscreen ISG2000. There are multiple LANs behind the SRX1500 and a single LAN behind the ISG2000. Traffic selectors have been configured on SRX with single Tunnel interface while Multiple Proxy-IDs  on the ISG2000 also with single tunnel interface. 

    Now Sometimes one of the LAN's is inaccessible while other LAN's are accessible at the same time. How should i diagnose this? Please help me out. 



  • 2.  RE: Session timeout SRX1500 to ISG2000

     
    Posted 02-22-2018 03:07


  • 3.  RE: Session timeout SRX1500 to ISG2000

     
    Posted 02-22-2018 04:50

    I would remove the traffic selectors on the SRX and proxy-id on the ISG.

     

    Both Junos and ScreenOS by default will connect using open proxy-id pair 0.0.0.0/0 to 0.0.0.0/0

     

    Configure as a route based VPN on both sides.

     

    Then use  static routes to send the desired subnets into the tunnel interface on both sides.

     

     



  • 4.  RE: Session timeout SRX1500 to ISG2000

    Posted 02-22-2018 10:07

    But strange thing is that when a praticular LAN becomes inaccessible that time i login to ISG2000 firewall 

    edit the VPN

    uncheck and recheck replay protection

     

    then the traffic revives

     

    I can't figure out why this is happening?

    Is there any clue to this?



  • 5.  RE: Session timeout SRX1500 to ISG2000

     
    Posted 02-23-2018 03:12

    I have not seen that before.  Is it enabled on both sides?

    Perhaps the configs are out of sync.

     



  • 6.  RE: Session timeout SRX1500 to ISG2000

    Posted 02-11-2019 09:09

    @

     

     

     

     and on ISG2000 the

    Replay protection check box marked.

     

     


    #SRX1500
    #ISG2000


  • 7.  RE: Session timeout SRX1500 to ISG2000
    Best Answer

     
    Posted 02-11-2019 17:31

    Looks like this may be a known issue between SRX and ISG / NS vpn tunnels.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB26671

     

    Seems the recommendation is to turn off replay protection on the SRX side.

     



  • 8.  RE: Session timeout SRX1500 to ISG2000

    Posted 05-07-2019 13:29

    @spuluka 

    Thanks for your help. I have disabled Anti-replay on both sides and now it is working fine.