This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  One-sided IKE SA

    Posted 01-17-2021 16:48
    I have two SRX firewalls. One is a 320, the other is 345.
    I am trying to configure AutoVPN between them.

    I have found that the IKE SA is up on the hub side.
    The hub has a static Public IP, which is applied with NAT by an upstream device.
    The hub is always the responder.

    On the spoke the SA shows as DOWN. The SA is in this state for a while before clearing itself. It will retry periodically.
    The spoke uses 4G for its connection to the internet, and has a dynamic IP.
    The spoke is always the initiator.

    I've never seen a case where the SA is UP on one side, but DOWN on the other.
    Can anyone offer any suggestions on what might cause this, or how to troubleshoot it?

  • 2.  RE: One-sided IKE SA

    Posted 01-17-2021 18:25
    Do you have nat traversal on in the configuration?
    This is required when the gateway interface address is behind a nat.

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)