Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  User connections drop during VPN Phase 2 renegotiation

    Posted 12-13-2008 07:14

    We are currently using the default phase 2 lifetime of 3600 seconds for route based site to site vpn between an SSG 20 with both Cisco and NS-5GT on the other end of the tunnels. If we have open user connections (for example a database client application), those connections get dropped during the phase 2 renegotiation. User connections will drop even if they are only momentarily idle.

     

    We are using vpn monitors on the Juniper devices.

     

    A longer lifetime only helps a little bit because I can't control exactly when phase 2 will expire and renegotiate. It always has the potential to drop a user connection.



  • 2.  RE: User connections drop during VPN Phase 2 renegotiation

    Posted 12-14-2008 06:06

    Dear fellow,

     

    Don't use VPN monitor and try.

     

    regards,



  • 3.  RE: User connections drop during VPN Phase 2 renegotiation

    Posted 12-14-2008 07:33

    Hi,

     

    Site to site VPN always up connection means VPN is not established only  when traffic has to pass through VPN? Can u explain ur querry?

     

    Thanks



  • 4.  RE: User connections drop during VPN Phase 2 renegotiation

    Posted 12-14-2008 17:20

    I have tried with no VPN monitor. User connections still drop.

     

    As for explaining the problem, let me try again:

     

    If a user behind the firewall has a client/server connection such as SSH or a database client program open to a system on the other end of the VPN, that connection will get dropped when the IKE Phase 2 lifetime expires and the two routers renegotiate.  If the user connection is actively sending data, then maybe it will survive, but if it is idle for a short time before the phase 2 expiration, it will get dropped.  This never happened when we had Cisco to Cisco tunnels. Users could leave things open all day and they would not drop.

     

    By using 'get session src-ip x.x.x.x' before and after the phase 2 renegotiation, the session is there before,but gone afterward.

     

    You can't be saying that sessions must be ALWAYS sending data in order to not get dropped! You never know exactly when the phase 2 lifetime will end and there is always some amount of idle time in a session. This can't be right.

     

    Maybe it's a Cisco interoperability issue, but the same thing happens between the SSG-20 (v6.1) and an NS-5GT(v4.0).



  • 5.  RE: User connections drop during VPN Phase 2 renegotiation

    Posted 12-15-2008 08:16

    Hi,

     

    It sound to me as if this must be some kind of timeout as the SA establishes but fails after time.

    Here are a couple of things to look at:

     

    • Try to disable PFS on both sides and see if that works
    • Are the Phase 2 SA lifetimes the same
    • Is there a packet defragmentation problem

     

    I hope something here leads you to the answer.

     

    Regards

     

    Gavrilo



  • 6.  RE: User connections drop during VPN Phase 2 renegotiation

    Posted 12-15-2008 09:19
    • Try to disable PFS on both sides and see if that works

    We might have something here... Our Cisco to Cisco tunnels did not use PFS. I'll try it.

     

     

    • Are the Phase 2 SA lifetimes the same

     Yes, they are.You don't say if they should be. As far as I know, it is correct for them to be the same.

     

     

    • Is there a packet defragmentation problem

    I don't know what would indicate a problem. 'get sa stat' shows zeros in the Fragment column for the SSG to Cisco tunnels, so I guess not.

     



  • 7.  RE: User connections drop during VPN Phase 2 renegotiation
    Best Answer

    Posted 12-15-2008 13:52

    OK, it was a rookie mistake. I'm new to Juniper and was unaware that the device had default timeouts for common services. never seen a router do that before! My google searches were too focused on possible VPN related causes. But in my defense, I did try to google for generic session timeout info and found nothing except references to admin sessions. It was finally the 'time' entry in 'get session' that led me to dig deeper.

     

    The solution was as simple as:

     

    set service ssh timeout never

     

    And create custom service entries for our database server port.

     

    Not at all VPN related. But thanks for trying!

     

     



  • 8.  RE: User connections drop during VPN Phase 2 renegotiation

    Posted 12-17-2008 02:14

    B****r! I did'nt think of that.........maybe I am a bit of a rokkie as well Smiley Surprised

     

    • Are the Phase 2 SA lifetimes the same

     Yes, they are.You don't say if they should be. As far as I know, it is correct for them to be the same.

     

    ----------------------------------------------------------------------------------------------------------------------------------

     

    As I think you summised, yes they should be the same

     

     

    • Is there a packet defragmentation problem

    I don't know what would indicate a problem. 'get sa stat' shows zeros in the Fragment column for the SSG to Cisco tunnels, so I guess not.

     

    ----------------------------------------------------------------------------------------------------------------------------------

     

    Makes sense to me

     

     

    Glad you were able to find it.

     

    Regards

     

    Gavrilo