So here's the setup. We have multiple clients using IPSec tunnels to communicate with the rest of the network. All these tunnels terminates on one box (M series) and the CE config (SRX110/210/240) is exactly the same on all the devices however we have one specific CE which just drops the tunnels. Now we have 2 tunnels on each device, one for client traffic and one for monitoring, sometimes just one drops, sometime both drops, sometimes they stay up for days, sometimes they drop after a few hours and a reboot fixes it every time.
So I checked the log and the error I'm getting looks like this:
Mar 13 12:06:22 Roodepoort-SRX110-NO-F kmd: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-vpn-eoh003 Gateway: ike-gate-eoh003, Local: 10.203.9.33/500, Remote: 10.203.16.180/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
I googled "SA Unusable" and found some sites suggesting that the SA gets deleted once new traffic arrives to pass through the tunnel. This makes little to no sense to me because logically, at some point, new traffic will arrive at any tunnel, but why must the SA get deleted?
Proposal: Standard Preshare No-nat
Protocol: esp Auth: hmac-sha1-96
Encryp: 3des-cbc Life: 180 PFS: group 2
Why exactly is this happening? Is it possible that the device is busted? Like I said, the config is the same globally and this is the only site that's not cooperating.
Check that the time/clock on both ends of the tunnel are correct. Use NTP to the same source.
Can you also post your configs (IPSEC / IKE) from both ends (change the encryption key and IP addresses)?
Are both ends running the same Junos version? What versions are you running? Also, what BIOS version are you running. There was an issue on SRX100 units that required an upgrade due to memory/cpu timings.