Useful SRX debugging blog

12 08 2015

Just came across a useful debugging guide for site-to-site IPSec VPNs on Juniper SRX. It is a bit confusing because in steps 2 and 3, where it says [LOCAL PEER IP] it should actually say [REMOTE PEER IP].   But otherwise, this is a very useful set of instructions.

It doesn’t mention that you should observe the lifetime of the IKE and IPSec security associations, and also keep an eye on the SA index or ID.  If the index number keeps changing, it means your tunnel is going down and coming back up all the time.   If the lifetime regularly starts again at the maximum value and does not count down to zero steadily, this indicates the same thing.

Particularly interesting is the way the author splits out the sections on troubleshooting the packet flow within the VPN, versus the packet flow of the VPN crypto itself.  I’ve not used packet-filters in flow debug before, so will definitely be trying that out.

Link to SRX debug article at fir3net.com

Advertisements

Actions

Information

One response

19 05 2017
Storstädning Stockholm

A sponge whiсh has a liquiⅾ soap will heⅼp to remove not simply the dust, but the ǥrease as well.
Taking care of oսr carpets iѕ vіtal if you need these phones last, and
oftentimes they are one of thе most neglectеd items іn our home.
However, the most important questіon to question yourself is “why” enter into а company
inside first place.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: