SRX Services Gateway
Reply
Contributor
rebus
Posts: 56
Registered: ‎05-28-2009
0

VPN Tunnel Active but No SA?

[ Edited ]

I must be mis-understanding something.  I have VPN tunnels configured between a dozen SRX devices, tunnels up and passing traffic. 


However from the CLI if I key in  show security ike security-associations  the result on some peers is empty, while on others it might show an SA for one or a few tunnels, but not all of them.

 

In the past when I've done  show security ike security-associations  all of the active tunnels whould appear with the index, UP state, cookies, etc.

 

root@central> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
3604148 UP     54978a9ff616d9e4  26fe75cc10a47055  Aggressive     10.3.11.10

 

So how can it be that VPN tunnels are UP and actively passing traffic, but there are no SA's shown?

 

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: VPN Tunnel Active but No SA?

Hi,

 

There is no problem in this ..We do not require a phase-1 SA (IKE SA) for the traffic to pass through the tunnel . As long as there is a matching Phase-2 SA (IPSec SA) , traffic will go through the tunnel (encrypted and decrypted). 

 

Only thing that happened here is your IKE SA got expired.thats why there is no output in "show security ike security-associations" . Once an IKE SA expires, renegotiation will not happen immediately ,as it is not required .Renegotiation happens only when your Phase-2 SA also expires. According to the lifetime settings (seconds/Kb of data), once your phase-2 SA (IPSec SA) expires, It will trigger the negotiation of fresh phase-1 SA (IKE) and then a new phase-2 SA, until that time it is not required.

 

Also, some times you will see multiple IPSec SAs for the same VPN, This is also related to lifetime , KB19835 explains this behaviour.

 

Hope this helps !

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
bobjunga
Posts: 63
Registered: ‎02-29-2012
0

Re: VPN Tunnel Active but No SA?

I have also seen this behavior.  Sometimes the IKE SA for a working tunnel does not show up in the list. I find that if I try again later, it might show up.  I wonder if this means that my tunnel is misconfigured and its going up and down.

 

I am hoping someone can shed light on this.

 

--BobG

Contributor
bobjunga
Posts: 63
Registered: ‎02-29-2012
0

Re: VPN Tunnel Active but No SA?

Thanks Predeep for the explanation. I had this thread open in my browser for a while before I replied, so I had not seen your answer before I sent my message or I would not have sent it.

 

--BobG

 

 

Contributor
rebus
Posts: 56
Registered: ‎05-28-2009
0

Re: VPN Tunnel Active but No SA?

Thanks Pradeep, that answers my question.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.