02-26-2009 02:47 AM
It would seem that the connection is dropping every 60 seconds, it comes straight back up but I would rather it didn't drop at all
I am sure it must be a timeout issue or something keeps re-negotiating because it reliably happens every 60 seconds
Can anyone help?
02-26-2009 03:00 AM
A couple of things:
Check your logs for more information and if possible post the relevent section on here. Check your phase1 and phase2 lifetimes match each end and the one that has got me a coupler of times is check te service timeout.
02-26-2009 03:07 AM
The odd thing is that the logs don't actually report it going down, but if you leave a remote desktop connection open it reconnects itself every 60 seconds
Can you tell me where I will find the phase 1 and 2 lifetimes and the service timeout, I'm using WebUI
02-26-2009 03:45 AM
I don't have a great deal of time free at the moment and don't use WebUI so will have to find some sutitable screen shots from the web. I will try to get back to this later today once I have cleared some other work but take a look at the stuff below which should help:
The most important thing to remember is that both ends of the VPN have to share the same encryption settings.The following is a list of which VPN settings must be set the same on both ends of the tunnel.These settings are for both routebased and policy-based VPNs.
■ Phase 1 key management protocol—for example, IKE
■ Phase 1 encryption algorithm to encrypt the key—for example, DES, 3DES,AES,or CAST
■ Phase 1 hash/authentication algorithm—for example, SHA1 or MD5
■ Phase 1 authentication—for example, PRE-SHARED SECRET or CERTIFICATE
■ Phase 1 mode—for example, MAIN or AGGRESSIVE
■ Phase 2 encryption algorithm to encrypt the data—for example, DES, 3DES,AES,or CAST
■ Phase 2 hash/authentication algorithm—for example, SHA1 or MD5
■ Phase 2 Perfect Forward Secrecy—for example,YES-GROUP1,YES-GROUP2, YES-GROUP5, or NO
■ Outgoing interface of the VPN tunnel
■ Encryption domain
The Event log contains VPN events. When troubleshooting a VPN on a Juniper firewall,
keep an eye on the Event log for PKI (public-key infrastructure) events.The following
debug commands can be useful during troubleshooting Phase 1 issues:
■ get ike cookie This will display all completed Phase 1 negotiations.
■ debug flow basic This will enable debugging.
■ debug ike This will enable detailed VPN debug logs with an empasis on phase 1 of the communication.
■ debug sa This will turn on a debug with an emphasis on phase 2 of the VPN setup.
■ clear ike This will force a VPN tunnel to renegotiate. It will clear Phase 1 and Phase 2 for the specified tunnel.
Troubleshooting commands useful for Phase 2 issues are shown next:
■ get sa active This will display all completed Phase 2 negotiations.
■ unset ike policy-checking This will tell the firewall to ignore the policy and allow all routed traffic through the VPN.
Policy Based VPN
The following are some common issues regarding policy-based VPNs:
■ Policies are in the wrong order. Remember the rule base is parsed from top to bottom.
■ Missing a rule in the other direction. VPN policies require a rule to allow inbound as well as outbound traffic.
■ Wrong VPN tunnel is selected. Double-check the address book entries and the VPN tunnel selected.
■ Policy is in the wrong zone. Make sure the traffic going into the VPN is allowed by a policy.
02-27-2009 05:43 AM
Is VPN monitoring enabled? If that can't reach the destination; it will take down the VPN.
Also check for packet loss on the outgoing connection.
Check the errors on that interface and try to do a lengthy ping to the remote VPN gateway.
02-27-2009 06:29 AM
Service objects have several defining properties that tell the firewall how to identify traffic and these properties can be specified when defining a new service object.
Use the following:
Access Objects | Services and select the relevant object and open the properties sheet as below:
You can then customise the service timeout.
Most likely the lifetime values for the SA/proposals are not the same on both ends. To see these try:
get ike cookies
The second line shows the SA lifetime with the nxt_rekey value displaying the time until the next Phase 1 rekey.
You will see if Phase 1 and Phase 2 negotiations have succeeded and the information displayed includes the peer, the SPI, and key lifetimes.