SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Phase1 keeps renegotiating every minute

    Posted 04-09-2013 14:16

    Hi

     

     

    I am working in a lab environment. It's a site-site IPSec tunnel bt. SRX and ASA using policy based vpn

     

    The tunnel comes up and passes traffic fine.

     

    Phase 1 lifetime has been set to 86400 sec on both

     

    But what I see is the phase 1 is getting re-negotiated about every minute.

     

    Any idea on why it's happening?

     

    ASA:

    crypto ikev1 policy 50
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400

     

    Lab-FW(config)# sh logg | i PHASE 1
    Apr 09 2013 14:07:19: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
    Apr 09 2013 14:09:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
    Apr 09 2013 14:10:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
    Apr 09 2013 14:11:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
    Apr 09 2013 14:12:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
    Apr 09 2013 14:13:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED
    Apr 09 2013 14:14:18: %ASA-5-713119: Group = 10.102.100.115, IP = 10.102.100.115, PHASE 1 COMPLETED

     

     

    SRX:

     

    [edit security ike proposal Phase1-Proposal]
    sadm@SRX240# show
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;

     

    % tail -f /var/log/vpn-deb-ike | grep -E 'ISAKMP|ipsec'


    Apr 9 13:05:48 ike_st_o_done: ISAKMP SA negotiation done
    Apr 9 13:06:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
    Apr 9 13:06:48 ssh_ike_connect_ipsec: SA = { 8870310f c14009ed - 54e5473f ef9a0e5a}, nego = 0
    Apr 9 13:06:48 ike_st_o_done: ISAKMP SA negotiation done
    Apr 9 13:07:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
    Apr 9 13:07:48 ssh_ike_connect_ipsec: SA = { 6130ee3f ee227572 - f4fcc8c3 3bfa6470}, nego = 0
    Apr 9 13:07:48 ike_st_o_done: ISAKMP SA negotiation done
    Apr 9 13:08:48 ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
    Apr 9 13:08:48 ssh_ike_connect_ipsec: SA = { 522aac73 6dc7ba4c - bb97ae10 67ec06cf}, nego = 0
    Apr 9 13:08:48 ike_st_o_done: ISAKMP SA negotiation done

     

    Thanks,

     

    -Rohan



  • 2.  RE: Phase1 keeps renegotiating every minute
    Best Answer

    Posted 04-10-2013 02:37

    Hello,

    Firstly, You did not post/attach complete logs which makes t'shooting difficult if not impossible.

    2nd, please check if one of the sides sends IKE keepalive/DPD and other does not respond.

    HTH

    Thanks

    Alex 



  • 3.  RE: Phase1 keeps renegotiating every minute

    Posted 04-10-2013 07:02

    You were right!

     

    I had turn off 

    establish-tunnels immediately on SRX side and that got tunnel to stop flapping.

     

    Thanks a lot!