SRX

Β View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IKE security-association wont clear

    Posted 04-06-2021 04:08
    Hi All,

    Hope you're well -

    I have a IKE security association that wont clear and wanted to check next steps 

    I've tried clearing the IKE using the following

    clear security ike security-associations index 2428393

    clear security ike security-associations xxx.xxx.xxx.xxx

    The fact the IKE SA is present still isn't causing issues for the VPN as this is coming up under a new security association however its more of an admin/ tidy device easy life situation.

    As this is a production firewall I am hesitant to run restart IPsec-key-management or have the device rebooted however if this is what is required, I will schedule a maintenance period

    Any thoughts would be great 

    Thanks,
    Alex


  • 2.  RE: IKE security-association wont clear

    Posted 04-06-2021 04:52
    Hi Alex,

    May I know the device model and Junos version? 

    Is your Initiator Cookie changing every time when you manually clear the IKE SA? If that's the case, it means the IKE is cleared successfully and it is re-initiating the negotiation. 

    May I know what are you trying to achieve here?

    ------------------------------
    ***𝑫𝒐 π’Žπ’‚π’“π’Œ π’•π’‰π’Šπ’” π’‚π’π’”π’˜π’†π’“ 𝒂𝒔 𝑺𝒐𝒍𝒗𝒆𝒅, π’Šπ’‡ π’Šπ’• 𝒂𝒅𝒅𝒓𝒆𝒔𝒔𝒆𝒔 π’šπ’π’–π’“ π’Šπ’”π’”π’–π’†***

    π•½π–Šπ–Œπ–†π–—π–‰π–˜,
    𝖓𝖔𝖔𝖇 π–’π–†π–˜π–™π–Šπ–—.
    ------------------------------



  • 3.  RE: IKE security-association wont clear

    Posted 04-06-2021 04:58
    Hi There, 

    The peer address/device which is the initiator is currently offline so the initiator cookie isn't changing

    The model is SRX300 15.1X49-D140.2 

    I'm just trying to ensure that only valid IKE SA are left on the device and that nothing invalid is hanging about

    Thanks,
    Alex


  • 4.  RE: IKE security-association wont clear

    Posted 04-06-2021 05:02
    If that's the case, then I would suggest you to deactivate that particular via configuration if you can't afford to reboot or restart the VPN daemon.

    ------------------------------
    ***𝑫𝒐 π’Žπ’‚π’“π’Œ π’•π’‰π’Šπ’” π’‚π’π’”π’˜π’†π’“ 𝒂𝒔 𝑺𝒐𝒍𝒗𝒆𝒅, π’Šπ’‡ π’Šπ’• 𝒂𝒅𝒅𝒓𝒆𝒔𝒔𝒆𝒔 π’šπ’π’–π’“ π’Šπ’”π’”π’–π’†***

    π•½π–Šπ–Œπ–†π–—π–‰π–˜,
    𝖓𝖔𝖔𝖇 π–’π–†π–˜π–™π–Šπ–—.
    ------------------------------