Hi all,
I'm scratching my head for an issue of the VPN tunnel. Would really appreaciate any help!
Local end is SRX320 and remote is Prisma Access from Palo Alto.
I'm experiencing issues that the VPN will go down every 50 minutes and come back up after 30 seconds. The IKE life time is set to 28800 and IPSec 3600, at both ends, so I'm not sure why it is flapping at a 3000 secondds interval.
In most cases the users experiences only a brief hiccup (30 seconds), but sometimes the downtime can be 50 minutes (if the re-establishment went wrong, then it gets rectified 50 min later, I guess).
This circle repeats itself every 50 minutes, very regularly for the last few weeks since we put it in place.
Aug 1 13:15:03 BranchSRX320 kmd[2055]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: VPN-PRISMA Gateway: IKE-PRISMA, Local: a.a.a.a/4500, Remote: b.b.b.b/4500, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, VR-ID: 0
Aug 1 13:15:03 BranchSRX320 kmd[2055]: KMD_VPN_DOWN_ALARM_USER: VPN VPN-PRISMA from b.b.b.b is down. Local-ip: a.a.a.a, gateway name: IKE-PRISMA, vpn name: VPN-PRISMA, tunnel-id: 131074, local tunnel-if: st0.2, remote tunnel-ip: Not-Available, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SAs cleared as corresponding IKE SA deleted
Aug 1 13:15:34 BranchSRX320 kmd[2055]: KMD_PM_SA_ESTABLISHED: Local gateway: a.a.a.a, Remote gateway: b.b.b.b, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x970e48c7, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:
Aug 1 13:15:34 BranchSRX320 kmd[2055]: KMD_PM_SA_ESTABLISHED: Local gateway: a.a.a.a, Remote gateway: b.b.b.b, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x8a003f44, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector: FC Name:
Aug 1 13:15:34 BranchSRX320 kmd[2055]: KMD_VPN_UP_ALARM_USER: VPN VPN-PRISMA from b.b.b.b is up. Local-ip: a.a.a.a, gateway name: IKE-PRISMA, vpn name: VPN-PRISMA, tunnel-id: 131074, local tunnel-if: st0.2, remote tunnel-ip: Not-Available, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
Aug 1 13:15:34 BranchSRX320 kmd[2055]: IKE negotiation successfully completed. IKE Version: 2, VPN: VPN-PRISMA Gateway: IKE-PRISMA, Local: a.a.a.a/4500, Remote: b.b.b.b/4500, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, VR-ID: 0, Role: Initiator
------------------------------
GRAHAM MIAO
------------------------------