SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  VPN tunnel needs regular manual restart - how to automate it?

    Posted 11-23-2021 12:27
    Hi all, 

    We are running an IPSec tunnel from a SRX340 cluster (19.4R3.11) and a Checkpoint cluster.

    The thing is that the tunnel fails sending traffic almost every day, despite the SA and the tunnel itself seems to be up, having to manually CLI and run: "clear security ike security-associations", then the traffic comes back immediately 

    How could we either reinforce a regular automatic rekey or to auto clear the IKE SA's? Any idea?

    Thanks


  • 2.  RE: VPN tunnel needs regular manual restart - how to automate it?

    Posted 11-23-2021 16:19
    This type of problem can occur when the timing parameters for both phase 1 and phase 2 don't exactly match between the two firewalls.  So verify those and make sure only one side has any auto-initiate configuration.

    For your work around you would create an event policy at whatever interval you want to run the operational command.

    https://www.juniper.net/documentation/en_US/junos/topics/example/junos-script-automation-event-policy-generating-internal-event.html

    Then use that event to trigger running the command at that time as a script.
    https://www.juniper.net/documentation/us/en/software/junos/automation-scripting/topics/concept/automation-configuring-an-event-policy-to-execute-operational-mode-commands.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------