Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  NetScreen to SonicWall dropping IPSec Tunnel

    Posted 01-30-2013 09:09

    We are having a strange issue where the connection is estabilished and then 2 minutes later the connection will drop, wait 20 seconds and re-establish. From then on the connection will drop ever 90 seconds and re-establish again after 30 seconds. We have the timeout on the proposals set to 28800, and I have played with the keep-alive/heartbeat settings modifying the hello seconds and the reconnect. Any help would be much appreciated.

     

    Josh Payne


    #timeout
    #ssg140
    #sonicwall
    #Tunnel
    #netscreen


  • 2.  RE: NetScreen to SonicWall dropping IPSec Tunnel
    Best Answer

     
    Posted 01-30-2013 10:02

    sounds as if vpn monitor is turned on. The default vpn monitor setting is proprietary so will not work with other vendors.

     

    Can you try "unset vpn xxx monitor"?

     

    Regards,

    Sam



  • 3.  RE: NetScreen to SonicWall dropping IPSec Tunnel

    Posted 01-30-2013 12:31

    Thanks for the quick reply. I can try that, however will Juniper still try to initiate the connection? We are supposed to be the initiator.

     

    Thanks,

     

    Josh Payne



  • 4.  RE: NetScreen to SonicWall dropping IPSec Tunnel

     
    Posted 01-30-2013 12:37

    the juniper will try to initiate if there's interested traffic.

     

    Another option is to ping a remote ip using the 'trust' or (inside) interface of juniper.

     

    for example:

     

    set vpn <vpn_name> monitor source-interface bgroup0 destination-ip 10.1.1.1 rekey

     PC1---Bgroup0[Juniper]=======VPN======SonicWall(10.1.1.1)-----PC2

     

    Both Bgroup0 and 10.1.1.1 are IP's that are protected by the VPN.

     

    The default "set vpn xxx monitor rekey" uses the IPSec gateway IP addresses, encrypts them in IPsec and forwards to peer.  This only works with other ScreenOS devices.

     

    Hope it makes sense.

     

    Regards,

    Sam



  • 5.  RE: NetScreen to SonicWall dropping IPSec Tunnel

    Posted 01-30-2013 12:50

    Oh, that would make sense to give it something to ping to keep it alive. (duh) I am trying that now.

     

    Thanks,

     

    Josh Payne



  • 6.  RE: NetScreen to SonicWall dropping IPSec Tunnel

    Posted 01-30-2013 12:57

    Well, I realized I didn't have an acceptable ip on my trust interface to communicate with the remote ip. I ended up removing monitor as you stated above and we are working fine without all those annoying critical alarms.

     

    Thanks,

     

    Josh Payne



  • 7.  RE: NetScreen to SonicWall dropping IPSec Tunnel

     
    Posted 01-30-2013 13:04

    glad it's working.

     

    FYI.  for future reference, the vpn monitor setting by default is 10 tries, 10 misses before bringing down the VPN, so around 2minutes.

     

    This setting is configureable and usually is, if quicker 'failover' type of scenario is required.

     

    set vpnmonitor interval xxx
    set vpnmonitor threshold xxx
    
    ssg5-serial-wlan-> get vpnmonitor
    Vpn monitor interval : 10(seconds)
    Vpn monitor threshold: 10
    ssg5-serial-wlan->

     

     

    Regards,

    Sam



  • 8.  RE: NetScreen to SonicWall dropping IPSec Tunnel

    Posted 02-20-2013 02:28

    I'm having the same issue.

    I have no problem to turn off VPN monitor, but I still would prefer to keep the SA active all the time, will it happen or will it become active when no traffic exists? My concern is that there will be short times of packet loss every time the tunnel needs to be brought up again.

    Can I turn off monitor but leave rekey enabled? does it make any sense?

     

    Thanks



  • 9.  RE: NetScreen to SonicWall dropping IPSec Tunnel

     
    Posted 02-20-2013 05:21

    Hi.

     

    there is no option to turn off monitor with rekey enabled.

     

    With VPN monitor off, and there's no traffic, the SA will go inactive once the SA lifetime reaches 0.

     

    Best bet is using monitor pings between protected resources through the tunnnel:

     

       set vpn <vpn_name> monitor source-interface bgroup0 destination-ip 10.1.1.1 rekey

     

     

     

    Regards,

    Sam