SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX VPN Flaps at 50 min interval

    Posted 08-01-2023 09:06

    Hi all,

    I'm scratching my head for an issue of the VPN tunnel. Would really appreaciate any help!

    Local end is SRX320 and remote is Prisma Access from Palo Alto. 

    I'm experiencing issues that the VPN will go down every 50 minutes and come back up after 30 seconds. The IKE life time is set to 28800 and IPSec 3600, at both ends, so I'm not sure why it is flapping at a 3000 secondds interval. 

    In most cases the users experiences only a brief hiccup (30 seconds), but sometimes the downtime can be 50 minutes (if the re-establishment went wrong, then it gets rectified 50 min later, I guess).

    This circle repeats itself every 50 minutes, very regularly for the last few weeks since we put it in place.

    Aug  1 13:15:03  BranchSRX320 kmd[2055]: IPSec negotiation failed with error: Invalid syntax. IKE Version: 2, VPN: VPN-PRISMA Gateway: IKE-PRISMA, Local: a.a.a.a/4500, Remote: b.b.b.b/4500, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, VR-ID: 0
    Aug  1 13:15:03  BranchSRX320 kmd[2055]: KMD_VPN_DOWN_ALARM_USER: VPN VPN-PRISMA from b.b.b.b is down. Local-ip: a.a.a.a, gateway name: IKE-PRISMA, vpn name: VPN-PRISMA, tunnel-id: 131074, local tunnel-if: st0.2, remote tunnel-ip: Not-Available, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static, Reason: IPSec SAs cleared as corresponding IKE SA deleted
    Aug  1 13:15:34  BranchSRX320 kmd[2055]: KMD_PM_SA_ESTABLISHED: Local gateway: a.a.a.a, Remote gateway: b.b.b.b, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0x970e48c7, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:
    Aug  1 13:15:34  BranchSRX320 kmd[2055]: KMD_PM_SA_ESTABLISHED: Local gateway: a.a.a.a, Remote gateway: b.b.b.b, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x8a003f44, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:  FC Name:
    Aug  1 13:15:34  BranchSRX320 kmd[2055]: KMD_VPN_UP_ALARM_USER: VPN VPN-PRISMA from b.b.b.b is up. Local-ip: a.a.a.a, gateway name: IKE-PRISMA, vpn name: VPN-PRISMA, tunnel-id: 131074, local tunnel-if: st0.2, remote tunnel-ip: Not-Available, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, AAA username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type: Static
    Aug  1 13:15:34  BranchSRX320 kmd[2055]: IKE negotiation successfully completed. IKE Version: 2, VPN: VPN-PRISMA Gateway: IKE-PRISMA, Local: a.a.a.a/4500, Remote: b.b.b.b/4500, Local IKE-ID: Branch.company.com.au, Remote IKE-ID: prisma.company.com.au, VR-ID: 0, Role: Initiator



    ------------------------------
    GRAHAM MIAO
    ------------------------------


  • 2.  RE: SRX VPN Flaps at 50 min interval

    Posted 08-02-2023 06:12

    The flapping can be caused by some configuration issues to check.

    • Confirm the lifetime figures for both phase 1 and phase 2 match on both sides
    • Verify the proxy id on the SRX match the tunnel configuration on the remote fully.  One side having more/less than the other or mismatches can cause flaps
    • Confirm that vpn monitoring on the SRX is not used or if turned on is fully configured correctly and the remote side can respond to icmp
    • If all checks out enable deeper logging

    Related kb with some check options

    https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/task/srx-troubleshooting-flapping-vpn-tunnel.html



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX VPN Flaps at 50 min interval

    Posted 08-04-2023 11:48

    Thank you spuluka. Everything matches except for DH Group configurations, and that caused the problem. 



    ------------------------------
    GRAHAM MIAO
    ------------------------------



  • 4.  RE: SRX VPN Flaps at 50 min interval

     
    Posted 08-02-2023 21:33

    Hello,

    It looks like the ipsec rekey is not happening properly during and hence it fails. Ideally rekey would happen before the lifetime ends. 

    Looks like the VPN is established on 4500, which means there is a NAT device in between. Please verify if the negotiation packets / rekey packets are not dropped in the path and are received on both ends. Also, verify the Rekey is happening on port 4500. 

    Regards,

    Brijil 



    ------------------------------
    Brijil R
    ------------------------------



  • 5.  RE: SRX VPN Flaps at 50 min interval

    Posted 11-12-2023 20:02

    I'd like to provide an update for anyone who stumbled upon this post while troubleshooting their VPN issues.

    The problem for this specific case I was having is the configuration mismatch: on Prisma's end PFS is enabled by default https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/ipsec-vpn-basics/internet-key-exchange-ike-for-vpn/ike-phase-2, in the IPSec configuration on the SRX this part was missing.

    After adding the PFS config, the problem was gone. 

    The 50 min interval, as I later found out, was when the rekey happens (refer to the softlife time explained in the article: [Junos] Multiple SAs (Security Associations) show up for the same VPN (juniper.net)). Because the missing configure of PFS, the rekey will fail and the tunnel would be brought down completely, and then get re-established. 



    ------------------------------
    GRAHAM MIAO
    ------------------------------