Hi All,
In my lab, I sometimes see 2 pairs of phase 2 security associations for
an IPSec tunnel, when only 1 pair is normally expected. Junos 10.4R6.5.
Here are the details. I clear phase 2 SAs,
[edit]
lab@jsrxA-2# run clear security ipsec security-associations
Just after that,
[edit]
lab@jsrxA-2# run show security ipsec security-associations
Total active tunnels: 0
After couple of seconds,
lab@jsrxA-2# run show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 172.18.1.2 500 ESP:3des/md5 bcd656a3 3196/ unlim - root
>131073 172.18.1.2 500 ESP:3des/md5 afcf2625 3196/ unlim - root
And then after several more seconds,
[edit]
lab@jsrxA-2# run show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 172.18.1.2 500 ESP:3des/md5 bcd656a3 3195/ unlim - root
>131073 172.18.1.2 500 ESP:3des/md5 afcf2625 3195/ unlim - root
<131073 172.18.1.2 500 ESP:3des/md5 b3756a59 3200/ unlim - root
>131073 172.18.1.2 500 ESP:3des/md5 394d9218 3200/ unlim - root
lab@jsrxA-2# run show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
5782232 172.18.1.2 UP ce53c45376c56fd3 d12ed14ebe57d245 Main
[edit]
lab@jsrxA-2# run show security ike security-associations detail
IKE peer 172.18.1.2, Index 5782232,
Role: Initiator, State: UP
Initiator cookie: ce53c45376c56fd3, Responder cookie: d12ed14ebe57d245
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 172.18.2.2:500, Remote: 172.18.1.2:500
Lifetime: Expires in 587 seconds
Peer ike-id: 172.18.1.2
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : md5
Encryption : 3des-cbc
Pseudo random function: hmac-md5
Traffic statistics:
Input bytes : 1072
Output bytes : 1516
Input packets: 6
Output packets: 7
Flags: Caller notification sent
IPSec security associations: 1 created, 2 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 1837734017
Local: 172.18.2.2:500, Remote: 172.18.1.2:500
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Flags: Caller notification sent, Waiting for done
On the other side of the VPN,
lab@jsrxA-1# run show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 172.18.2.2 500 ESP:3des/md5 afcf2625 3150/ unlim - root
>131073 172.18.2.2 500 ESP:3des/md5 bcd656a3 3150/ unlim - root
<131073 172.18.2.2 500 ESP:3des/md5 394d9218 3155/ unlim - root
>131073 172.18.2.2 500 ESP:3des/md5 b3756a59 3155/ unlim - root
lab@jsrxA-1# run show security ike security-associations detail
IKE peer 172.18.2.2, Index 6071931,
Role: Responder, State: UP
Initiator cookie: ce53c45376c56fd3, Responder cookie: d12ed14ebe57d245
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 172.18.1.2:500, Remote: 172.18.2.2:500
Lifetime: Expires in 545 seconds
Peer ike-id: 172.18.2.2
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : md5
Encryption : 3des-cbc
Pseudo random function: hmac-md5
Traffic statistics:
Input bytes : 996
Output bytes : 1072
Input packets: 5
Output packets: 6
Flags: Caller notification sent
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 1837734017
Local: 172.18.1.2:500, Remote: 172.18.2.2:500
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Flags: Caller notification sent, Waiting for done
This does not happen every time (usually only 1 pair of SAs is produced).
But I see the above behavior every so often.
The config is a standard route-based VPN, no tricks at all.
Anyone seen the same? Any explanation for that?