SRX Services Gateway
SRX Services Gateway

IPSec VPN IKE SA Issues

‎03-13-2014 03:17 AM

Hi All, 

 

So here's the setup. We have multiple clients using IPSec tunnels to communicate with the rest of the network. All these tunnels terminates on one box (M series) and the CE config (SRX110/210/240) is exactly the same on all the devices however we have one specific CE which just drops the tunnels. Now we have 2 tunnels on each device, one for client traffic and one for monitoring, sometimes just one drops, sometime both drops, sometimes they stay up for days, sometimes they drop after a few hours and a reboot fixes it every time. 

So I checked the log and the error I'm getting looks like this: 

 

Mar 13 12:06:22  Roodepoort-SRX110-NO-F kmd[1293]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: ipsec-vpn-eoh003 Gateway: ike-gate-eoh003, Local: 10.203.9.33/500, Remote: 10.203.16.180/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0

I googled "SA Unusable" and found some sites suggesting that the SA gets deleted once new traffic arrives to pass through the tunnel. This makes little to no sense to me because logically, at some point, new traffic will arrive at any tunnel, but why must the SA get deleted? 

IKE Settings: 

 

Version 1

Mode: Main

Proposal: Standard
Preshare
No-nat

IPSec: 

Protocol: esp
Auth: hmac-sha1-96

Encryp: 3des-cbc
Life: 180
PFS: group 2

Why exactly is this happening? Is it possible that the device is busted? Like I said, the config is the same globally and this is the only site that's not cooperating. 

Please feel free to request more information. 

 

Regards, 

4 REPLIES 4
SRX Services Gateway

Re: IPSec VPN IKE SA Issues

‎03-14-2014 01:09 AM

Hi

 

Check that the time/clock on both ends of the tunnel are correct.  Use NTP to the same source.

 

Can you also post your configs (IPSEC / IKE) from both ends (change the encryption key and IP addresses)?

 

Are both ends running the same Junos version?  What versions are you running?  Also, what BIOS version are you running.  There was an issue on SRX100 units that required an upgrade due to memory/cpu timings.

SRX Services Gateway

Re: IPSec VPN IKE SA Issues

‎03-25-2014 04:47 AM

Hi,

 

Can you please elaborate more or point to an KB or PR regarding memory/cpu timing issue on SRX100?

 

Regards,

Wojciech

SRX Services Gateway

Re: IPSec VPN IKE SA Issues

‎03-25-2014 05:00 AM

The memory timing issue is on the new H2 devices.

 

More info here: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR923364&smlogin=true

SRX Services Gateway

Re: IPSec VPN IKE SA Issues

‎03-25-2014 05:02 AM

Make sure your devices allow the ike host inbound service on the untrust interface.

 

Post your configs.