SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

VPN tunnel needs regular manual restart - how to automate it?

This thread has been viewed 4 times
  • 1.  VPN tunnel needs regular manual restart - how to automate it?

    Posted 11-23-2021 12:27
    Hi all, 

    We are running an IPSec tunnel from a SRX340 cluster (19.4R3.11) and a Checkpoint cluster.

    The thing is that the tunnel fails sending traffic almost every day, despite the SA and the tunnel itself seems to be up, having to manually CLI and run: "clear security ike security-associations", then the traffic comes back immediately 

    How could we either reinforce a regular automatic rekey or to auto clear the IKE SA's? Any idea?

    Thanks


  • 2.  RE: VPN tunnel needs regular manual restart - how to automate it?

     
    Posted 11-23-2021 16:19
    This type of problem can occur when the timing parameters for both phase 1 and phase 2 don't exactly match between the two firewalls.  So verify those and make sure only one side has any auto-initiate configuration.

    For your work around you would create an event policy at whatever interval you want to run the operational command.

    https://www.juniper.net/documentation/en_US/junos/topics/example/junos-script-automation-event-policy-generating-internal-event.html

    Then use that event to trigger running the command at that time as a script.
    https://www.juniper.net/documentation/us/en/software/junos/automation-scripting/topics/concept/automation-configuring-an-event-policy-to-execute-operational-mode-commands.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------