Hello
We are running an IPSec VPN tunnel from our SRX cluster (SRX 5400, version 19.4R3.11) to a client network. The tunnel had been up for some months and working without any issues.
A few days back, the client side peer device was rebooted due to some maintenance activity. As a result, the DPD configured on SRX marked the tunnel down.
Once the peer device came up, it started initiating connection. However, the SRX did not respond and continued to show the tunnel as down.
The tunnel came up once I added the "establish-tunnels immediately" command.
Must mention here that we have a load balancer behind the SRX which is configured to send heartbeats to the remote network, so interesting traffic was present all along.
Any idea why the SRX did not respond to the peer?
Also, when interesting traffic was present, why didn't the SRX try to bring up the tunnel itself?
Here are the config and logs, before I added the "establish-tunnels immediately" command.
set security ike proposal cust1_ike_phase1_proposal authentication-method pre-shared-keys
set security ike proposal cust1_ike_phase1_proposal dh-group group2
set security ike proposal cust1_ike_phase1_proposal authentication-algorithm sha1
set security ike proposal cust1_ike_phase1_proposal encryption-algorithm aes-128-cbc
set security ike proposal cust1_ike_phase1_proposal lifetime-seconds 86400
set security ike policy cust1_ike_phase1_policy mode main
set security ike policy cust1_ike_phase1_policy proposals cust1_ike_phase1_proposal
set security ike policy cust1_ike_phase1_policy pre-shared-key ascii-text "$9$yRjlldsijd4okoj;akd4pkkadkp4ZDH.aJAu01kTh2jTLqzF/9tuEcKWLXdVfTQzn90ORESeM82aJUq.F369tOcSlWX7KM"
set security ike gateway cust1_ike_gw ike-policy cust1_ike_phase1_policy
set security ike gateway cust1_ike_gw address 200.200.200.200
set security ike gateway cust1_ike_gw dead-peer-detection always-send
set security ike gateway cust1_ike_gw dead-peer-detection interval 30
set security ike gateway cust1_ike_gw dead-peer-detection threshold 5
set security ike gateway cust1_ike_gw external-interface lo0.1
set security ipsec proposal cust1_ipsec_phase2_proposal protocol esp
set security ipsec proposal cust1_ipsec_phase2_proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal cust1_ipsec_phase2_proposal encryption-algorithm aes-128-cbc
set security ipsec proposal cust1_ipsec_phase2_proposal lifetime-seconds 86400
set security ipsec policy cust1_ipsec_phase2_policy perfect-forward-secrecy keys group2
set security ipsec policy cust1_ipsec_phase2_policy proposals cust1_ipsec_phase2_proposal
set security ipsec vpn cust1_ipsec_vpn bind-interface st0.1
set security ipsec vpn cust1_ipsec_vpn ike gateway cust1_ike_gw
set security ipsec vpn cust1_ipsec_vpn ike proxy-identity local 10.10.10.0/24
set security ipsec vpn cust1_ipsec_vpn ike proxy-identity remote 192.168.1.1/32
set security ipsec vpn cust1_ipsec_vpn ike ipsec-policy cust1_ipsec_phase2_policy
etelmpb@PTPPPFW01> show security ipsec inactive-tunnels index 131075
node0:
--------------------------------------------------------------------------
Location: FPC 0, PIC 3, KMD-Instance 1
ID: 131075 Virtual-system: root, VPN Name: cust1_ipsec_vpn
Local Gateway: 100.100.100.100, Remote Gateway: 200.200.200.200
Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
Remote Identity: ipv4(any:0,[0..3]=192.168.1.1)
Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
Port: 500, Nego#: 227, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Multi-sa, Configured SAs# 1, Negotiated SAs#: 0
Tunnel events:
Thu Dec 30 2021 13:45:50 +1100: DPD detected peer as down. Existing IKE/IPSec SAs cleared (1 times)
Wed Dec 29 2021 17:51:04 +1100: IPSec SA rekey successfully completed (35 times)
Wed Dec 29 2021 15:58:12 +1100: IKE SA negotiation successfully completed (45 times)
Sun Dec 12 2021 20:39:51 +1100: IPSec SA negotiation successfully completed (1 times)
Sat Dec 11 2021 20:57:10 +1100: IPSec SA rekey successfully completed (13 times)
Sun Dec 05 2021 21:53:12 +1100: IPSec SA negotiation successfully completed (1 times)
Sat Dec 04 2021 22:10:36 +1100: IPSec SA rekey successfully completed (7 times)
Wed Dec 01 2021 22:34:53 +1100: IPSec SA negotiation successfully completed (1 times)
Tue Nov 30 2021 22:52:20 +1100: IPSec SA rekey successfully completed (27 times)
Wed Nov 17 2021 01:15:54 +1100: No response from peer. Negotiation failed (1 times)
Tue Nov 16 2021 07:27:29 +1100: IKE SA negotiation successfully completed (30 times)
Mon Oct 18 2021 14:03:58 +1100: No response from peer. Negotiation failed (3 times)
Sun Oct 17 2021 20:15:18 +1100: IKE SA negotiation successfully completed (42 times)