SRX

 View Only
last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

DPD brings down IPSec VPN tunnel, but tunnel does not come up when peer is up again

  • 1.  DPD brings down IPSec VPN tunnel, but tunnel does not come up when peer is up again

    Posted 01-07-2022 05:31
    Hello

    We are running an IPSec VPN tunnel from our SRX cluster (SRX 5400, version 19.4R3.11) to a client network. The tunnel had been up for some months and working without any issues.

    A few days back, the client side peer device was rebooted due to some maintenance activity. As a result, the DPD configured on SRX marked the tunnel down.

    Once the peer device came up, it started initiating connection. However, the SRX did not respond and continued to show the tunnel as down.

    The tunnel came up once I added the "establish-tunnels immediately" command.
    Must mention here that we have a load balancer behind the SRX which is configured to send heartbeats to the remote network, so interesting traffic was present all along.

    Any idea why the SRX did not respond to the peer?
    Also, when interesting traffic was present, why didn't the SRX try to bring up the tunnel itself?

    Here are the config and logs, before I added the "establish-tunnels immediately" command.

    set security ike proposal cust1_ike_phase1_proposal authentication-method pre-shared-keys
    set security ike proposal cust1_ike_phase1_proposal dh-group group2
    set security ike proposal cust1_ike_phase1_proposal authentication-algorithm sha1
    set security ike proposal cust1_ike_phase1_proposal encryption-algorithm aes-128-cbc
    set security ike proposal cust1_ike_phase1_proposal lifetime-seconds 86400
    set security ike policy cust1_ike_phase1_policy mode main
    set security ike policy cust1_ike_phase1_policy proposals cust1_ike_phase1_proposal
    set security ike policy cust1_ike_phase1_policy pre-shared-key ascii-text "$9$yRjlldsijd4okoj;akd4pkkadkp4ZDH.aJAu01kTh2jTLqzF/9tuEcKWLXdVfTQzn90ORESeM82aJUq.F369tOcSlWX7KM"
    set security ike gateway cust1_ike_gw ike-policy cust1_ike_phase1_policy
    set security ike gateway cust1_ike_gw address 200.200.200.200
    set security ike gateway cust1_ike_gw dead-peer-detection always-send
    set security ike gateway cust1_ike_gw dead-peer-detection interval 30
    set security ike gateway cust1_ike_gw dead-peer-detection threshold 5
    set security ike gateway cust1_ike_gw external-interface lo0.1

    set security ipsec proposal cust1_ipsec_phase2_proposal protocol esp
    set security ipsec proposal cust1_ipsec_phase2_proposal authentication-algorithm hmac-sha1-96
    set security ipsec proposal cust1_ipsec_phase2_proposal encryption-algorithm aes-128-cbc
    set security ipsec proposal cust1_ipsec_phase2_proposal lifetime-seconds 86400
    set security ipsec policy cust1_ipsec_phase2_policy perfect-forward-secrecy keys group2
    set security ipsec policy cust1_ipsec_phase2_policy proposals cust1_ipsec_phase2_proposal
    set security ipsec vpn cust1_ipsec_vpn bind-interface st0.1
    set security ipsec vpn cust1_ipsec_vpn ike gateway cust1_ike_gw
    set security ipsec vpn cust1_ipsec_vpn ike proxy-identity local 10.10.10.0/24
    set security ipsec vpn cust1_ipsec_vpn ike proxy-identity remote 192.168.1.1/32
    set security ipsec vpn cust1_ipsec_vpn ike ipsec-policy cust1_ipsec_phase2_policy


    etelmpb@PTPPPFW01> show security ipsec inactive-tunnels index 131075
    node0:
    --------------------------------------------------------------------------
    Location: FPC 0, PIC 3, KMD-Instance 1
    ID: 131075 Virtual-system: root, VPN Name: cust1_ipsec_vpn
    Local Gateway: 100.100.100.100, Remote Gateway: 200.200.200.200
    Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
    Remote Identity: ipv4(any:0,[0..3]=192.168.1.1)
    Version: IKEv1
    DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
    Port: 500, Nego#: 227, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
    Multi-sa, Configured SAs# 1, Negotiated SAs#: 0
    Tunnel events:
    Thu Dec 30 2021 13:45:50 +1100: DPD detected peer as down. Existing IKE/IPSec SAs cleared (1 times)
    Wed Dec 29 2021 17:51:04 +1100: IPSec SA rekey successfully completed (35 times)
    Wed Dec 29 2021 15:58:12 +1100: IKE SA negotiation successfully completed (45 times)
    Sun Dec 12 2021 20:39:51 +1100: IPSec SA negotiation successfully completed (1 times)
    Sat Dec 11 2021 20:57:10 +1100: IPSec SA rekey successfully completed (13 times)
    Sun Dec 05 2021 21:53:12 +1100: IPSec SA negotiation successfully completed (1 times)
    Sat Dec 04 2021 22:10:36 +1100: IPSec SA rekey successfully completed (7 times)
    Wed Dec 01 2021 22:34:53 +1100: IPSec SA negotiation successfully completed (1 times)
    Tue Nov 30 2021 22:52:20 +1100: IPSec SA rekey successfully completed (27 times)
    Wed Nov 17 2021 01:15:54 +1100: No response from peer. Negotiation failed (1 times)
    Tue Nov 16 2021 07:27:29 +1100: IKE SA negotiation successfully completed (30 times)
    Mon Oct 18 2021 14:03:58 +1100: No response from peer. Negotiation failed (3 times)
    Sun Oct 17 2021 20:15:18 +1100: IKE SA negotiation successfully completed (42 times)


  • 2.  RE: DPD brings down IPSec VPN tunnel, but tunnel does not come up when peer is up again

    Posted 07-18-2022 06:14

    Hi, did you have a similar DPD config (interval and treshold) on remote side?

    Try remove  DPD and use vpn-monitor for check ipsec tunnel (if on remote side juniper srx too)



    ------------------------------
    andrii furdyha
    ------------------------------