ScreenOS Firewalls (NOT SRX)
Reply
Visitor
howler
Posts: 7
Registered: ‎10-21-2008
0

VPN drops every 60 seconds

I have a policy based VPN setup between two SSG 140's

It would seem that the connection is dropping every 60 seconds, it comes straight back up but I would rather it didn't drop at all

I am sure it must be a timeout issue or something keeps re-negotiating because it reliably happens every 60 seconds

Can anyone help?

Thanks
Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: VPN drops every 60 seconds

Hi,

 

A couple of things:

 

Check your logs for more information and if possible post the relevent section on here. Check your phase1 and phase2 lifetimes match each end and the one that has got me a coupler of times is check te service timeout.

 

Regards

 

Gavrilo

Visitor
howler
Posts: 7
Registered: ‎10-21-2008
0

Re: VPN drops every 60 seconds

The odd thing is that the logs don't actually report it going down, but if you leave a remote desktop connection open it reconnects itself every 60 seconds

 

Can you tell me where I will find the phase 1 and 2 lifetimes and the service timeout, I'm using WebUI

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: VPN drops every 60 seconds

Hi,

 

I don't have a great deal of time free at the moment and don't use WebUI so will have to find some sutitable screen shots from the web. I will try to get back to this later today once I have cleared some other work but take a look at the stuff below which should help:

 

The most important thing to remember is that both ends of the VPN have to share the same encryption settings.The following is a list of which VPN settings must be set the same on both ends of the tunnel.These settings are for both routebased and policy-based VPNs.

 

Phase 1 key management protocol—for example, IKE

Phase 1 encryption algorithm to encrypt the key—for example, DES, 3DES,AES,or CAST

Phase 1 hash/authentication algorithm—for example, SHA1 or MD5

Phase 1 authentication—for example, PRE-SHARED SECRET or CERTIFICATE

Phase 1 mode—for example, MAIN or AGGRESSIVE

Phase 2 encryption algorithm to encrypt the data—for example, DES, 3DES,AES,or CAST

Phase 2 hash/authentication algorithm—for example, SHA1 or MD5

Phase 2 Perfect Forward Secrecy—for example,YES-GROUP1,YES-GROUP2, YES-GROUP5, or NO

Outgoing interface of the VPN tunnel

Encryption domain

 

The Event log contains VPN events. When troubleshooting a VPN on a Juniper firewall,

keep an eye on the Event log for PKI (public-key infrastructure) events.The following

debug commands can be useful during troubleshooting Phase 1 issues:

 

get ike cookie This will display all completed Phase 1 negotiations.

debug flow basic This will enable debugging.

debug ike This will enable detailed VPN debug logs with an empasis on phase 1 of the communication.

debug sa This will turn on a debug with an emphasis on phase 2 of the VPN setup.

clear ike This will force a VPN tunnel to renegotiate. It will clear Phase 1 and Phase 2 for the specified tunnel.

 

Troubleshooting commands useful for Phase 2 issues are shown next:

 

get sa active This will display all completed Phase 2 negotiations.

unset ike policy-checking This will tell the firewall to ignore the policy and allow all routed traffic through the VPN.

Policy Based VPN

 

The following are some common issues regarding policy-based VPNs:

 

Policies are in the wrong order. Remember the rule base is parsed from top to bottom.

Missing a rule in the other direction. VPN policies require a rule to allow inbound as well as outbound traffic.

Wrong VPN tunnel is selected. Double-check the address book entries and the VPN tunnel selected.

Policy is in the wrong zone. Make sure the traffic going into the VPN is allowed by a policy.

 

Regards

 

Gavrilo

Trusted Contributor
ric0
Posts: 65
Registered: ‎05-21-2008
0

Re: VPN drops every 60 seconds

Is VPN monitoring enabled? If that can't reach the destination; it will take down the VPN.

 

Also check for packet loss on the outgoing connection.

Check the errors on that interface and try to do a lengthy ping to the remote VPN gateway.

JNCIA-FWV - JNCIA-IDP - Proud JNet Expert shirt owner :smileyhappy:
Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: VPN drops every 60 seconds

    

Hi,

 

Service objects have several defining properties that tell the firewall how to identify traffic and these properties can be specified when defining a new service object.

 

Use the following:

 

Access Objects | Services and select the relevant object and open the properties sheet as below:

 

 

 

You can then customise the service timeout.

 

Most likely the lifetime values for the SA/proposals are not the same on both ends. To see these try:

 

get ike cookies

 

The second line shows the SA lifetime with the nxt_rekey value displaying the time until the next Phase 1 rekey.

 

get event

 

You will see if Phase 1 and Phase 2 negotiations have succeeded and the information displayed includes the peer, the SPI, and key lifetimes.

 

Regards

 

Gavrilo

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.