SRX

Expand all | Collapse all

IKE security-association wont clear

  • 1.  IKE security-association wont clear

    Posted 17 days ago
    Hi All,

    Hope you're well -

    I have a IKE security association that wont clear and wanted to check next steps 

    I've tried clearing the IKE using the following

    clear security ike security-associations index 2428393

    clear security ike security-associations xxx.xxx.xxx.xxx

    The fact the IKE SA is present still isn't causing issues for the VPN as this is coming up under a new security association however its more of an admin/ tidy device easy life situation.

    As this is a production firewall I am hesitant to run restart IPsec-key-management or have the device rebooted however if this is what is required, I will schedule a maintenance period

    Any thoughts would be great 

    Thanks,
    Alex


  • 2.  RE: IKE security-association wont clear

    Posted 17 days ago
    Hi Alex,

    May I know the device model and Junos version? 

    Is your Initiator Cookie changing every time when you manually clear the IKE SA? If that's the case, it means the IKE is cleared successfully and it is re-initiating the negotiation. 

    May I know what are you trying to achieve here?

    ------------------------------
    ***𝑫𝒐 𝒎𝒂𝒓𝒌 𝒕𝒉𝒊𝒔 𝒂𝒏𝒔𝒘𝒆𝒓 𝒂𝒔 𝑺𝒐𝒍𝒗𝒆𝒅, 𝒊𝒇 𝒊𝒕 𝒂𝒅𝒅𝒓𝒆𝒔𝒔𝒆𝒔 𝒚𝒐𝒖𝒓 𝒊𝒔𝒔𝒖𝒆***

    𝕽𝖊𝖌𝖆𝖗𝖉𝖘,
    𝖓𝖔𝖔𝖇 𝖒𝖆𝖘𝖙𝖊𝖗.
    ------------------------------



  • 3.  RE: IKE security-association wont clear

    Posted 17 days ago
    Hi There, 

    The peer address/device which is the initiator is currently offline so the initiator cookie isn't changing

    The model is SRX300 15.1X49-D140.2 

    I'm just trying to ensure that only valid IKE SA are left on the device and that nothing invalid is hanging about

    Thanks,
    Alex


  • 4.  RE: IKE security-association wont clear

    Posted 17 days ago
    If that's the case, then I would suggest you to deactivate that particular via configuration if you can't afford to reboot or restart the VPN daemon.

    ------------------------------
    ***𝑫𝒐 𝒎𝒂𝒓𝒌 𝒕𝒉𝒊𝒔 𝒂𝒏𝒔𝒘𝒆𝒓 𝒂𝒔 𝑺𝒐𝒍𝒗𝒆𝒅, 𝒊𝒇 𝒊𝒕 𝒂𝒅𝒅𝒓𝒆𝒔𝒔𝒆𝒔 𝒚𝒐𝒖𝒓 𝒊𝒔𝒔𝒖𝒆***

    𝕽𝖊𝖌𝖆𝖗𝖉𝖘,
    𝖓𝖔𝖔𝖇 𝖒𝖆𝖘𝖙𝖊𝖗.
    ------------------------------