Security

Expand all | Collapse all

One-sided IKE SA

  • 1.  One-sided IKE SA

    Posted 01-17-2021 16:48
    I have two SRX firewalls. One is a 320, the other is 345.
    I am trying to configure AutoVPN between them.

    I have found that the IKE SA is up on the hub side.
    The hub has a static Public IP, which is applied with NAT by an upstream device.
    The hub is always the responder.

    On the spoke the SA shows as DOWN. The SA is in this state for a while before clearing itself. It will retry periodically.
    The spoke uses 4G for its connection to the internet, and has a dynamic IP.
    The spoke is always the initiator.

    I've never seen a case where the SA is UP on one side, but DOWN on the other.
    Can anyone offer any suggestions on what might cause this, or how to troubleshoot it?


  • 2.  RE: One-sided IKE SA

     
    Posted 01-17-2021 18:25
    Do you have nat traversal on in the configuration?
    This is required when the gateway interface address is behind a nat.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------