SRX – “VPN monitoring” causes IPSec to bounce

7 04 2014

Just making a note here because this will probably trip me up again in the future:   I have a customer with a VPN running from an SRX650 on 11.4R9.4 to a variety of other devices.  One of these is some kind of Huawei device, and the other a Vyatta router.  I’ve no idea what versions or models these are because they’re not under the customer’s control.

I noticed that these two VPNs didn’t appear to be staying up.  You could tell because of the lifetime of the IPSec security association.  It is set in the configuration to 1800 seconds and counts  down – when it gets near zero, the SA is re-negotiated.   In this case however, the SA never dropped much below 1400 seconds remaining before being renegotiated. 

You can see this by issuing the command “show security ipsec sa” and looking at the fourth column to see the lifetime remaining.  If you specify the index number you get more detail as can be seen below:

user@LON-SRX650> show security ipsec sa index 12
ID: 12 Virtual-system: root, VPN Name: VPN-1
Local Gateway: x.x.x.x, Remote Gateway: y.y.y.y
Local Identity: ipv4_subnet(any:0,[0..7]=x.x.x.x/24)
Remote Identity: ipv4(any:0,[0..3]=y.y.y.y/24)
Version: IKEv1
   DF-bit: clear
   Policy-name: VPN-1-IN
   Direction: inbound, SPI: c3323457, AUX-SPI: 0
                             , VPN Monitoring: UP
   Hard lifetime: Expires in 1730 seconds
   Lifesize Remaining: Unlimited
   Soft lifetime: Expires in 1366 seconds
   Mode: Tunnel(10 10), Type: dynamic, State: installed
   Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
   Anti-replay service: counter-based enabled, Replay window size: 64
   Direction: outbound, SPI: 9ddc18ae, AUX-SPI:
                              , VPN Monitoring: UP
   Hard lifetime: Expires in 1730 seconds
   Lifesize Remaining: Unlimited
   Soft lifetime: Expires in 1366 seconds
   Mode: Tunnel(10 10), Type: dynamic, State: installed
   Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
   Anti-replay service: counter-based enabled, Replay window size: 64

 

While looking at the above output I noticed that it said VPN monitoring was on.   This isn’t the default so must have been enabled by someone.  VPN monitoring is a bit like Dead Peer Detection – it tries to determine if the other end is still there periodically.  But it doesn’t necessarily work across vendors.

Looking at the logging I had going, I could see that VPN monitoring was tearing down the connection – probably because the other end was not sending responses:

 

user@LON-SRX650> show log ike.log | last 30
Apr 7 17:27:14 Hardlife timer started for inbound INSTANCE-VPN-1_0016_0033_0000 with 1800 seconds/0 kilobytes
Apr 7 17:27:14 Softlife timer started for inbound INSTANCE-VPN-1_0016_0033_0000 with 1433 seconds/0 kilobytes
Apr 7 17:27:14 In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 16;SPI-In = 0x1e403f93
Apr 7 17:27:14 Added dependency on SA config blob with tunnelid = 16
Apr 7 17:27:14 Successfully added ipsec SA PAIR
Apr 7 17:27:14 ike_st_o_qm_wait_done: Marking for waiting for done
Apr 7 17:27:14 ike_encode_packet: Start, SA = { 0x0c319301 6d356402 - a5be0fb8 e7458c1c } / b497b3e2, nego = 0
Apr 7 17:27:14 ike_send_packet: Start, send SA = { 0c319301 6d356402 - a5be0fb8 e7458c1c}, nego = 0, dst = y.y.y.y:500, routing table id = 0
Apr 7 17:27:14 ike_send_notify: Connected, SA = { 0c319301 6d356402 - a5be0fb8 e7458c1c}, nego = 0
Apr 7 17:27:14 IPSec negotiation done successfully for SA-CFG INSTANCE-VPN-1_0016_0033_0000 for local:x.x.x.x, remote:y.y.y.y IKEv1
Apr 7 17:27:14 IPSec SA done callback with sa-cfg NULL in p2_ed. status: Error ok
Apr 7 17:27:16 Deleted (spi=0xc3323457, protocol=ESP dst=x.x.x.x) entry from the peer hash table. Reason: VPN monitoring

 

Note the last line – the SPI (Security Parameter Index) was deleted because of some problem with vpn monitoring.  So Junos is tearing the connection down, rather than the far end. 

Shortly after that I re-issued the command and there was a new SPI value.  The security association had a lifetime remaining of something very close to 1800 seconds.

So I went into the configuration, removed VPN monitoring and the error messages went away – the SA stayed present for the full 1800 seconds.

Advertisements

Actions

Information

9 responses

7 05 2014
Josip Kralj

The vpn monitor options/feature works only between SRX devices you should use the dea peer detection instead, you should also disabled the no-anti-replay option on ike Phase 2 only in that cases your VPN will be stable with vyatta, Cisco ASA or huawei

7 05 2014
Josip Kralj
17 06 2014
google

In the signature line provide a link back to your blog.

Google – Preview – A simple tool, does just
as its name says. Play by the rules and it can be a great way to increase income or even begin a new career.

21 06 2014
weight loss pills

If you have been feeling tired and rundown lately, and seem to be gaining weight for no apparent reason, then it is
time for a change. Individuals who have underlying medical condition should also consult a physician before
taking this diet pill. Indeed Adiphene weight reduction pill is the answer for those who always goes on food regimen however can’t endure the meals
carving hunger and the irritability gave rise by dieting.

22 06 2014
overcoming anxiety attacks

overcoming anxiety attacks

SRX – “VPN monitoring” causes IPSec to bounce | The Data Plumber

22 06 2014
weight loss pills

Lets begin with stating among the information about this excellent revolutionary weight-reduction plan capsule and metabolism price booster.

It’s conceivable to accomplish this objective the conventional
path moreover through an equalized eating methodology and exercise.

Assuming that you aren’t a super-taught individual, you
will have some major snags adding on control over your zealous urges towards
consuming distinctive sustenances.

24 06 2014
method facts

method facts

SRX – “VPN monitoring” causes IPSec to bounce | The Data Plumber

24 06 2014
adiphene diet pill

Don’t let fat cost-free or perhaps gentle meals trick anyone; them usually comprise copious amounts connected
with one more unhealthy element. Individuals who have underlying medical condition should also consult a physician before taking this diet pill.
Adiphene Weight Loss Supplements Offers a Unique 25% Discount n select package fr Online B Worldwide
If the online critiques are something to go by, Adiphene is an efficient weight-loss option.

25 06 2014
phen375 reviews uk

phen375 reviews uk

SRX – “VPN monitoring” causes IPSec to bounce | The Data Plumber

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: