SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  VPN Disconnects After 6 Hours

    Posted 05-22-2019 15:27

    Good afternoon folks,

    I'm using the NCP Exclusive Entry client to connect to connect to a VSRX located in AWS.  The VPN works quite well, except it disconnects after 6 hours of use.  Here's my config:

     

    IKE stuff:

    proposal PSK-DH19-AES256-SHA256-L28800 {
    authentication-method pre-shared-keys;
    dh-group group19;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;
    }

    policy Corios-VPN-IKE-Pol {
    mode aggressive;
    proposals PSK-DH19-AES256-SHA256-L28800;
    pre-shared-key ascii-text REDACTED; ## SECRET-DATA
    }

    gateway Corios-VPN-IKE-GW {
    ike-policy Corios-VPN-IKE-Pol;
    dynamic {
    user-at-hostname "itadmins@coriosgroup.com";
    connections-limit 25;
    ike-user-type shared-ike-id;
    }
    dead-peer-detection {
    interval 10;
    threshold 3;
    }
    local-identity inet 52.37.18.20;
    external-interface ge-0/0/1.0;
    aaa {
    access-profile vaorduopxy01;
    }
    version v1-only;
    tcp-encap-profile NCP;
    }

     

    And here's the IPSEC part:

    proposal ESP-AES256-SHA256-L3600 {
    protocol esp;
    encryption-algorithm aes-256-gcm;
    lifetime-seconds 86400;
    }

    policy Corios-VPN-IPSEC-Pol {
    perfect-forward-secrecy {
    keys group19;
    }
    proposals ESP-AES256-SHA256-L3600;
    }

    vpn Corios-VPN {
    bind-interface st0.9;
    ike {
    gateway Corios-VPN-IKE-GW;
    ipsec-policy Corios-VPN-IPSEC-Pol;
    }
    traffic-selector TS1 {
    local-ip 10.132.3.0/24;
    remote-ip 0.0.0.0/0;
    }
    }

     

    Looking in the logs I see that a renegotiation has been triggered:

     

    [May 22 21:55:10][10.132.0.85 <-> 50.78.186.13] Triggering the IKE negotiation ....
    [May 22 21:55:10][10.132.0.85 <-> 50.78.186.13] iked_async_ike_trigger_msg_handler: Triggering IKE negotiation for tunnel-id:67109286 Set traffic trigger flag for sa_cfg:instance-GT-Corios-VPN_TS1_67109286
    [May 22 21:55:10][10.132.0.85 <-> 50.78.186.13] Ignoring request to remote access instance-GT-Corios-VPN_TS1_67109286 config block
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] iked_peer_entry_remove_inactive_sa_cfg_entry: Removing sa-cfg instance-GT-Corios-VPN_TS1_67109286 from inactive list for peer-entry 0x8d24f00
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] In iked_license_report_remote_user_usage Number of REMOTE_ACCESS_IPSEC_VPN_CLIENT license currently used is: 3 and max allowed is: 25
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d24f00 for local 10.132.0.85:4500 remote 50.78.186.13:25668. gw Corios-VPN-IKE-GW, VR id 5 from ID hash table
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] iked_peer_entry_patricia_delete:Peer entry 0x8d24f00 deleted for local 10.132.0.85:4500 and remote 50.78.186.13:25668
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Logout subscriber_id {41030000 00000000}
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Deleting Remote access SA configuration block instance-GT-Corios-VPN_TS1_67109286
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_instance_delink_sa_cfg: processing SA instance-GT-Corios-VPN_TS1_67109286 (flags: 0x24608e29)
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Freeing the SA configuration block instance-GT-Corios-VPN_TS1_67109286
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_sa_cfg_free: processing SA 9413e00 (flags: 0x24608e29)
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_instance_delink_sa_cfg: processing SA instance-GT-Corios-VPN_TS1_67109286 (flags: 0x24608e29)
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_sa_cfg_children_sa_free: processing SA instance-GT-Corios-VPN_TS1_67109286
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Deleted sa_cfg instance-GT-Corios-VPN_TS1_67109286 from the sadb hash tbl
    [May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] In iked_ipsec_sa_config_delete

     

    The local NCP client logs show a disconnection right around the same time:

     

    5/22/2019 2:56:15 PM - INFO - MONITOR: Disconnected
    5/22/2019 2:56:15 PM - INFO - MONITOR: Media=LAN, Tx=63558621 Byte, Rx=246989819 Byte

     

    Based on my understanding of the config, this should happen after 24 hours, not 6.  Clearly I'm missing something here though.  Thanks in advance for your suggestions.

     



  • 2.  RE: VPN Disconnects After 6 Hours

    Posted 05-23-2019 04:12

    Hi,

     

    Does the VPN disconnects for all the users after exact/close-to 6 hours ?

    It is strange as DPD should take care about the inactivity too..

     

    Assist to share VPN logs prior to the "Triggering the IKE negotiation" message.

     

    Also assist to provide the output during the working state:-

    show security ike security-associations index <xxxx> detail

    show security ipsec security-associations <xxxx> detail

    Regards,

    Rahul



  • 3.  RE: VPN Disconnects After 6 Hours

    Posted 05-23-2019 08:22

    Thank you for getting back to me.

    I've connected to the VPN, and here's my IKE security association:

     

    ec2-user@VSRX2> show security ike security-associations index 5433716 detail
    IKE peer 50.78.186.13, Index 5433716, Gateway Name: Corios-VPN-IKE-GW
    Role: Responder, State: UP
    Initiator cookie: e8b87ff25a407004, Responder cookie: 4cfd7eaa01a600db
    Exchange type: Aggressive, Authentication method: Pre-shared-keys
    Local: 10.132.0.85:4500, Remote: 50.78.186.13:14208
    Lifetime: Expires in 28664 seconds
    Reauth Lifetime: Disabled
    IKE Fragmentation: Disabled, Size: 0
    Remote Access Client Info: Exclusive Client
    Peer ike-id: itadmins@coriosgroup.com
    AAA assigned IP: 10.132.3.194
    Algorithms:
    Authentication : hmac-sha256-128
    Encryption : aes256-cbc
    Pseudo random function: hmac-sha256
    Diffie-Hellman group : DH-group-19
    Traffic statistics:
    Input bytes : 2512
    Output bytes : 912
    Input packets: 7
    Output packets: 5
    Input fragmentated packets: 0
    Output fragmentated packets: 0
    IPSec security associations: 1 created, 0 deleted
    Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 10.132.0.85:4500, Remote: 50.78.186.13:14208
    Local identity: 52.37.18.20
    Remote identity: itadmins@coriosgroup.com
    Flags: IKE SA is created

     

    Here's my IPSEC SA

     

    ec2-user@VSRX2> show security ipsec security-associations index 67109296 detail
    ID: 67109296 Virtual-system: root, VPN Name: Corios-VPN
    Local Gateway: 10.132.0.85, Remote Gateway: 50.78.186.13
    Traffic Selector Name: TS1
    Local Identity: ipv4(0.0.0.0-255.255.255.255)
    Remote Identity: ipv4(10.132.3.194)
    Version: IKEv1
    DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.9
    Port: 14208, Nego#: 1925, Fail#: 28, Def-Del#: 0 Flag: 0x24608f29
    Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
    Tunnel events:
    Thu May 23 2019 15:13:23: IPSec SA negotiation successfully completed (1 times)
    Thu May 23 2019 15:13:23: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Thu May 23 2019 15:13:00: IKE SA negotiation successfully completed (1 times)
    Direction: inbound, SPI: d2674b17, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3361 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2803 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Direction: outbound, SPI: c9677cb1, AUX-SPI: 0
    , VPN Monitoring: -
    Hard lifetime: Expires in 3361 seconds
    Lifesize Remaining: Unlimited
    Soft lifetime: Expires in 2803 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

     

    These lifetime values don't match the 86400 I have in the config, so I guess we can see why the VPN is being disconnected.  If anyone has any insight about what I need to change I'll be thankful.



  • 4.  RE: VPN Disconnects After 6 Hours
    Best Answer

    Posted 05-30-2019 09:55

    It turns out that these values can be set on the NCP client, as well as in the Juniper, and the client values override those on the router.  After changing the values to match the duration is now showing as 86400.