SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IPSEC: Tunnel Down Reason: DPD failover Direction: inbound,

    Posted 09-06-2015 22:09

    Hi All,

     

    Can anyone explain me what this statement is trying to convey?

     

    show security ipsec sec-ass index XXX

     

    Tunnel Down Reason: DPD failover
    Direction: inbound,

     

    Thanks in advance.

     

    Regards,

    Chandu



  • 2.  RE: IPSEC: Tunnel Down Reason: DPD failover Direction: inbound,

     
    Posted 09-07-2015 00:14

    Hello Chandu,

     

    DPD is the machanism used to verify if the two peers have Active IKE SAs between them or not. In this mechanism, one device sends DPD_R_U_THERE messages & the other device responds with DPD_R_U_THERE_ACK.
    If one of the device fails to receive DPD_R_U_THERE_ACK packet for say 3 times or 4 times (duration is configurable parameter), the device marks Phase 1 & Phase 2 SAs with the peer as down.

    'show security ipsec security-association index <XXXXX>' command will show the reason as 'Tunnel Down Reason: DPD failover Juniper'

    DPD can fail because of many reasons like problem in the patch, DPD misconfiguration etc.

     

    Regards,

     

    Rushi



  • 3.  RE: IPSEC: Tunnel Down Reason: DPD failover Direction: inbound,

    Posted 09-08-2015 01:50

    So do you mean to say that, the device in which i'm seeing the statement " Tunnel Down Reason: DPD failover " means that, the current device has not received ACK from the peer and it crossed the threshold and then it brought down the tunnel? 

     

    I'm i correct?

     

    Regards,

    Chandu



  • 4.  RE: IPSEC: Tunnel Down Reason: DPD failover Direction: inbound,
    Best Answer

     
    Posted 09-08-2015 01:52

    Hello,

     

    That is correct.

     

    Regards,

     

    Rushi