Screen OS

I set up a site-to-site VPN from an SSG140 to Microsoft Azure, using the config they provide.

The VPN tunnel connects and works fine, but every hour when the VPN is renegotiated, all routes in the SSG are revalidated.  I see tons of messages in the logs about session routes being invalid, then they're valid again.

I have about a half dozen other site-to-site VPNs active and none of them were causing this to happen.  It's not really an issue but the log spam is annoying and I feel it's not necessary to recheck all the session routes like this.

Can anyone give me a pointer as to what setting might be causing this?  I assume there's something in the VPN config that is forcing a recheck routing on all active sessions.

Can you post the link to the sample configuration?

Is the routing on this tunnel using the same method as your other tunnels?

Is this static or using BGP?

I'll post the "stock" config they provide below.

It's just a static site-to-site VPN, and I have static routing for everything.   Nothing fancy.

One different I notice is that this one uses proxy-ID, whereas the other VPN tunnels I use do not. Don't know if that's related.

~~~~~~~~~~~~~~~~~~~~~~

Azure provided SSG config:

~~~~~~~~~~~~~~~~~~~~~~

set interface tunnel.1 zone untrust

set interface tunnel.1 ip unnumbered interface <NameOfYourOutsideInterface>
set route <RemoteNetworkHere> interface tunnel.1

set ike p1-proposal azure-proposal preshare group2 esp aes256 sha-1 seconds 28800
set ike gateway azure-gateway address <AzureRemoteGatewayIPHere> main outgoing-interface <NameOfYourOutsideInterface> preshare <PreShareKeyHere> proposal azure-proposal
set ike gateway azure-gateway dpd-liveness interval 10

set ike p2-proposal azure-ipsec-proposal no-pfs esp aes256 sha-1 seconds 3600
set vpn azure-ipsec-vpn gateway azure-gateway tunnel idletime 0 proposal azure-ipsec-proposal
set vpn azure-ipsec-vpn monitor optimized rekey
set vpn azure-ipsec-vpn proxy-id local-ip <LocalNetworkHere> remote-ip <RemoteNetworkHere> "ANY"
set vpn azure-ipsec-vpn bind interface tunnel.1

Generally I have had to use proxy id for route based tunnels to come up at all with non-Juniper partners.  I would add them to the configuration.  It might be possible that this is why the tunnel goes down on the hourly renegociation.

Are there other messages besides the route refresh?

Thanks for the replies Steve.

I do have proxy-id enabled for the tunnel, I followed their suggested configuration.

In the end, my company decided to not use Azure, so I'll be tearing down this configuration.   So while this isn't technically 'solved', I consider the issue closed.   

Thanks as always for your insights.