11-24-2010 10:34 PM
One of my customers is a banking environment in which SRX3600 (in Cluster) is working as the core device at head office on which all of the braches (with SSG140) are connected over route based IPSEC VPN. All branches have redundant VPNs as we normally dual Service providers for redundancy.
Please note we use Static routing only.
I have enabled "establiched tunnel immediately" and "VPN monitoring Optimized" on SRX side and "VPN monitoring" and "rekey" enabled on Branch (SSG140) side. Is it the correct setup??? I am experiancing some problems like some times traffic completely dropped on particular VPN tunnel and at that moment what I see
On SRX side :
Phase 2 = down, Phase 1 = up, st0.x = up
On branch side
Phase 2 = up, phase 1 = up, tunnel.x = up
What do you suggest??? should i disabled rekey on SSG140?? what are the best practices in such env??
Thanks in adv,
11-29-2010 12:03 PM
Similar to the SRX "security / ipsec / vpn temp / vpn-monitor" is there a destination IP option on the SSG? Sounds like the vpn-monitor on the SSG side isn't up to snuff with that's actually happening on the SRX side. When I do SRX to SRX, since my core is a multipoint secure tunnel and I NEED route awareness... I have destination IPs on both ends point to the other sides st0.x interface and therefore can remove routes from the NHTB table if the link goes down. I haven't seen the need for DPD on IKE if timers are sets appropriately, but I don't think that would be your issue here.