SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SNMP traps for IPSec tunnels

    Posted 09-04-2015 02:48

    Can someone help me with configuring SRX to send traps when IPSec tunnel flaps/hangs.

     

    Thank you.

     

     

    Regards,

     

    Kunal A Tupe



  • 2.  RE: SNMP traps for IPSec tunnels
    Best Answer

     
    Posted 09-04-2015 10:25

    Hello Kunal,

     

    You can configure something as below:

     

    show event-options
    policy snmptrap {
    events [ kmd_pm_sa_established kmd_vpn_down_alarm_user ];
    then {
    raise-trap;
    }
    }

     

    * kmd_pm_sa_established - When VPN establishes.
    * kmd_vpn_down_alarm_user - When VPN goes down.

     

    These two logs are seen in 'log messages' provided you have facility level of 'daemon' is set.

     

    Following link gives how to configure SNMP on SRX which includes defining trap target, permitted clients etc.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16545

     

    Regards,

    Rushi



  • 3.  RE: SNMP traps for IPSec tunnels

    Posted 09-08-2015 03:12

    Hey Rushi,

     

    Thank you so much for your help. Appreciate it.

     

     

    However, wanted to know if it would work if the tunnel goes in a hung state. Or do we need to configure something else.

     

    Thanks.

     

     

    Regards,

     

    Kunal A Tupe.



  • 4.  RE: SNMP traps for IPSec tunnels

     
    Posted 09-08-2015 03:19

    Hello Kunal,

     

    From the perspective of the SRX, there can be only two possibilities : Tunnel is either down or Up.

    So the configuration provided should suffice.

     

    If I understand correctly, what you mean by Hung State is a state where VPN is up but not passing traffic. Is that correct?

    These situations are need to be investigated & made sure that such situations do not happen frequently as it points to misconfiguration or interoperability issue not fixed by workaround etc.

     

    Regards,

     

    Rushi



  • 5.  RE: SNMP traps for IPSec tunnels

    Posted 09-08-2015 07:32

    Hi Rushi,

     

    Yes, you are absolutely right. The tunnel shows up but traffic isn't passing.

     

    Is there anyway for us to configure rpm and enable traps when it shows down or loses reachability.

     

    Regards,

     

    Kunal A Tupe

     



  • 6.  RE: SNMP traps for IPSec tunnels

     
    Posted 09-08-2015 08:51

    Hello Kunal,

     

    You can configure VPN Monitor to bring the tunnel down if the traffic does not flow through it.

    Following link gives detailed explanation about the same:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB10118&smlogin=true

     

    This will avoid VPN going into Hung state.

     

    Regards,

     

    Rushi



  • 7.  RE: SNMP traps for IPSec tunnels

    Posted 09-09-2015 02:02

    Hi Rushi,

     

    Thanks a ton for your help on this. As of now everything seems to be working fine.

    If i need any more assistance on this i shall get back to you. 

    Thanks again.

     

     

    Regards,

     

    Kunal A Tupe

     

     



  • 8.  RE: SNMP traps for IPSec tunnels

    Posted 06-15-2016 03:55

    Hi,

     

    The issue still seems to be there. When the tunnel goes into hung state the packets won't encrypt or decrypt. Once that happens how will i be able to generate a trap or event. I am stuck with this for a very long time and JTAC too doesn't have a way to  generate a notification. their only option is vpn-monitor. 

     

    Ca some one help me out on this.???