08-01-2017 01:24 PM
We have an SRX1500 with over a hundred VPN tunnels. Every few nights we get a "IPSec negotiation loop detected with peer, Rejecting negotiation" event on our SA. Users on the remote end notice the network outage for several minutes. I have opened a JTAC case, but they really didn't tell me anything. Said our VPN configurations look good. No other issues with other VPN's on the same box. The only thing thats a bit different than other tunnels is we do specify a remote-identity with this one.
I have not really found anything related to "loop detected" messages in KB's are in the forums. Anybody have any idea what this is?
08-16-2017 03:47 AM
I have seen this between SRX and 3rd party devices when proxy-ids are not configured properly. Per tunnel debugging will give you more information.
>request security ike debug-enable local <local gateway ip> remote <peer gateway ip> level 12
>show log kmd
You can leave it running overnight. Its not cpu intensive.
Try configuring trafic selector and that should resolve it.