06-18-2012 06:25 AM - edited 06-18-2012 06:45 AM
I must be mis-understanding something. I have VPN tunnels configured between a dozen SRX devices, tunnels up and passing traffic.
However from the CLI if I key in show security ike security-associations the result on some peers is empty, while on others it might show an SA for one or a few tunnels, but not all of them.
In the past when I've done show security ike security-associations all of the active tunnels whould appear with the index, UP state, cookies, etc.
root@central> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
3604148 UP 54978a9ff616d9e4 26fe75cc10a47055 Aggressive 10.3.11.10
So how can it be that VPN tunnels are UP and actively passing traffic, but there are no SA's shown?
06-18-2012 07:58 AM
There is no problem in this ..We do not require a phase-1 SA (IKE SA) for the traffic to pass through the tunnel . As long as there is a matching Phase-2 SA (IPSec SA) , traffic will go through the tunnel (encrypted and decrypted).
Only thing that happened here is your IKE SA got expired.thats why there is no output in "show security ike security-associations" . Once an IKE SA expires, renegotiation will not happen immediately ,as it is not required .Renegotiation happens only when your Phase-2 SA also expires. According to the lifetime settings (seconds/Kb of data), once your phase-2 SA (IPSec SA) expires, It will trigger the negotiation of fresh phase-1 SA (IKE) and then a new phase-2 SA, until that time it is not required.
Also, some times you will see multiple IPSec SAs for the same VPN, This is also related to lifetime , KB19835 explains this behaviour.
Hope this helps !
06-18-2012 08:15 AM
I have also seen this behavior. Sometimes the IKE SA for a working tunnel does not show up in the list. I find that if I try again later, it might show up. I wonder if this means that my tunnel is misconfigured and its going up and down.
I am hoping someone can shed light on this.
06-18-2012 08:18 AM
Thanks Predeep for the explanation. I had this thread open in my browser for a while before I replied, so I had not seen your answer before I sent my message or I would not have sent it.