We have a desing which involves the IPSec VPN between the SRX1500 firewall and Juniper Netscreen ISG2000. There are multiple LANs behind the SRX1500 and a single LAN behind the ISG2000. Traffic selectors have been configured on SRX with single Tunnel interface while Multiple Proxy-IDs on the ISG2000 also with single tunnel interface.
Now Sometimes one of the LAN's is inaccessible while other LAN's are accessible at the same time. How should i diagnose this? Please help me out.
I would start with:
I would remove the traffic selectors on the SRX and proxy-id on the ISG.
Both Junos and ScreenOS by default will connect using open proxy-id pair 0.0.0.0/0 to 0.0.0.0/0
Configure as a route based VPN on both sides.
Then use static routes to send the desired subnets into the tunnel interface on both sides.
But strange thing is that when a praticular LAN becomes inaccessible that time i login to ISG2000 firewall
edit the VPN
uncheck and recheck replay protection
then the traffic revives
I can't figure out why this is happening?
Is there any clue to this?
I have not seen that before. Is it enabled on both sides?
Perhaps the configs are out of sync.
Its configured as follows on SRX1500 end
" Anti-replay service: counter-based enabled "
and on ISG2000 the
Replay protection check box marked.
Looks like this may be a known issue between SRX and ISG / NS vpn tunnels.
Seems the recommendation is to turn off replay protection on the SRX side.
Thanks for your help. I have disabled Anti-replay on both sides and now it is working fine.